“Does HIPAA Apply to Employers” is a question that has triggered varied responses because of the complex nature of the HIPAA Privacy Rule. The HIPAA Privacy Rule appears complicated because it aims to standardize how individually identifiable personal information is safeguarded throughout different use cases. The language used is “non-specific” and so it is subject to several interpretations.
Many have tried to sum up the HIPAA Privacy Rule in a style that plainly describes who the legislation covers and how it must be employed. Sadly, due to its complex nature, the majority of summaries do not sufficiently answer “how does HIPAA apply to employers?” This article aims to answer the question as precisely and succinctly as possible.
What are HIPAA-Covered Transactions?
The HIPAA Privacy Rule details the 18 elements of individually identifiable health information that must be secured and protected from unauthorized access and classes information containing these identifiers as Protected Health Information (PHI). A lot of these data elements are given to an employer or the HR Department when a person joins a company. Thus, under that summarized explanation, the answer would be yes. HIPAA does apply to employers.
However, information containing those identifiers is only covered by HIPAA if it is utilized to communicate data concerning a person’s past, current or future health condition, the provision of healthcare services to a person, or for the payment of healthcare services. Consequently, if a worker provided their individually identifiable health information to an employer, but the employer never used any information for the purposes mentioned above, HIPAA does not apply to the employer.
In addition, one factor frequently disregarded in HIPAA Privacy Rule summaries is that before a “Covered Entity” can be subject to the regulation, the purpose for generating, using, holding or disclosing PHI must be a HIPAA-covered transaction. The following are considered HIPAA-covered transactions (but aren’t limited to these):
- A request to claim payment by a healthcare company from a health plan supported by proper documentation.
- An query from a healthcare company to a health plan regarding the eligibility of a person to get treatment.
- A request to a health plan to refer a person to a different healthcare company (as well as the health plan’s reply).
- Transmitting (1) Explanation of benefits or (2) Remittance advice from a health plan to a healthcare company.
For more details on HIPAA-covered transactions, see 45 CFR Part 2, particularly §§ 162.1101 to 162.1801.
Does HIPAA Apply to Employers’ Self-Insured Health Plans?
By using the conditions mentioned above for HIPAA-covered transactions, an employer could only be engaged in these kinds of transactions if:
- They have onsite clinics that are part of the employees’ health benefits
- They offer employees a self-insured health plan
- If they serve as an intermediary among employees, healthcare companies and health plans
Since an onsite clinic isn’t a “portable” employee health benefit (i.e. an employee cannot take the benefit when he or she transfers to another job), it is exempted from the HIPAA Privacy Rule. Employers offering self-insured health plans are likewise exempted since HIPAA considers the employer as a separate legal entity from the health plan, even though the employer manages the self-insured health plan.
Nevertheless, to be able to manage a self-insured health plan, or work as an intermediary between employees, healthcare companies and health plans, the employer must “partially comply” and must present certification that PHI will be protected and not utilized for employment-related transactions.
The certification is similar to a Business Associate Agreement and it permits the self-insured health plan to share PHI with the employer, but just to accomplish the purpose of managing the health plan. Any other use of PHI will be tantamount to an unauthorized disclosure exposing the employer to sanctions by the Department of Health & Human Services and state attorneys general. More information concerning employer certification is available in 45 CFR 164.504(f).
Conclusion: What HIPAA Means for Employers
The general answer to the question “Does HIPAA Apply to Employers” is no. What HIPAA means to employers is that, unless they qualify as an organization subject to partial compliance as described above, they do not have to implement measures to protect employee records in accordance with the HIPAA Privacy and Security Rules. However, other federal and state laws may apply.
For example, the Fair and Accurate Credit Transaction Act includes rules about how employers can use and disclosure certain information about employees, while state laws such as the California Privacy Rights Act includes rights like those in the Privacy Rule which give employees the right to know, correct, and delete any information held about them, as well as the right to limit uses and disclosures of sensitive personal information.
Employers unsure about what HIPAA – or any other federal or state law – means to them with regards to the privacy and confidentiality of employee records should seek professional compliance advice.