Get access to the exclusive HR Resources you need to succeed in 2018!
SHRM board member David Windley discusses how unconscious bias can derail workplace diversity efforts.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
The recent deadline for HIPAA privacy compliance caught many employers off guard.
April 14, 2003, came and went without some HR professionals noting or even appreciating the legal significance of the date. That’s potentially dangerous because, on that day, some employers—perhaps much to their surprise—became liable for ensuring the privacy of their employees’ medical information under regulations for the Health Insurance Portability and Accountability Act (HIPAA).
It is easy to see how employers could mistakenly believe they aren’t required to abide by these regulations. After all, the rules apply to entities such as health plans, health care clearinghouses and health care providers that electronically transmit a patient’s identifiable protected health information (PHI).
Employers who aren’t involved primarily in health care might easily—but mistakenly—conclude that they are not subject to these regulations. In fact, based on the experiences in our law firm, some employers who determined they were not covered by HIPAA’s privacy regulations are indeed covered, at least in part, due to their role as plan sponsor and/or plan administrator.
This article focuses on how employers that are neither health care providers nor clearinghouses in the traditional sense still may be obligated to comply with HIPAA due to the benefit plans they sponsor or certain health care services they provide ancillary to their primary purposes.
Note that although the initial April 14 deadline for compliance has passed, employers still have time to avoid penalties for non-compliance if they act quickly and in good faith to get into compliance.
Employers are not considered “covered entities” under HIPAA when they act solely in their capacity as employers. However, when acting in the capacity of a “health plan” or “plan sponsor,” as defined by HIPAA, those employer functions will be subject to the law’s privacy compliance requirements.
While less onerous than for non-health care providers, compliance at a modified level is still mandated for many employers that serve as plan sponsors of covered plans—especially if they receive PHI. Covered plans include hospital and medical benefits plans, dental plans, vision plans, health flexible spending accounts and employee assistance plans. Fully insured and self-insured plans are covered to the extent they provide medical care to employees and/or dependents.
There is one exception to the HIPAA privacy rules: Employers that sponsor self-administered group health plans with fewer than 50 participants are not subject to the HIPAA privacy rules.
In addition, plans with fewer than $5 million of “receipts,” while not exempted entirely from the rules, have until April 14, 2004, to comply.
Health Care Services
Employers may find themselves covered by HIPAA as a health care provider even if their primary functions are unrelated to health care.
For instance, employers that provide counseling, physical assessments, medical devices or equipment, or on-site health centers for their employees may well qualify as health care providers and be—at least partly—covered by the privacy regulations.
It is important to note, however, if an employer fits the definition of a health care provider, it will become subject to HIPAA’s privacy regulations only if it transmits PHI in electronic form. But, once an employer sends PHI in even a single electronic transmission, all of its PHI—including non-electronic data—is subject to HIPAA’s privacy regulations.
Examples Are Worth A Thousand Words
The preceding information may be difficult to grasp in a vacuum, so here are some examples to help you better understand when employers may, or may not, be subject to HIPAA’s privacy rules:
Situation No. 1. A company sponsors a self-insured group health plan for more than 50 of its full-time employees. The employer receives PHI to perform plan administration.
Is the employer required to comply with HIPAA by virtue of the self-insured group health plans it sponsors?
Compliance answer. HIPAA compliance varies depending on the role of the employer in plan administration and the particular plan(s) at issue. If an employer, as a plan sponsor of HIPAA-covered plans, provides health benefits only through an insurance contract with a health insurer/HMO and does not create, maintain or receive PHI in administering the health plan, the employer—as plan sponsor—would be excused from HIPAA’s privacy rule requirements.
However, since the employer in this example is the plan sponsor of a self-insured plan and receives PHI in connection with the administration of this plan, HIPAA compliance is required. Even if a third party administrator handled all plan administration, various HIPAA obligations still would exist for the employer as plan sponsor of a self-insured plan. For example, the employer, on behalf of the plan, would need to enter into a business associate agreement with the third party administrator confirming that the third party administrator will comply with HIPAA. (The compliance tasks required of employers are discussed later in this article.)
Situation No. 2. An employer sponsors group health plans (medical, vision and dental) that are all fully insured. While the insurance companies provide most administrative functions related to the plans, the employer sends out COBRA notices, helps employees with reimbursement and payment issues, and handles other administration obligations that cause the employer to receive and use plan participants’ PHI.
Is the employer subject to the HIPAA privacy rules?
Compliance answer. Because the employer in this situation receives PHI in its role as a plan sponsor, the employer (as a plan sponsor) is covered by HIPAA. The fact that the employer administers the COBRA program and performs other duties in which it creates, receives or uses PHI (as opposed to delegating these functions to a third party) requires the employer, as plan sponsor, to comply with HIPAA’s privacy obligations. Hence, if an employer as a plan sponsor of a fully insured plan gets PHI from the plan, HIPAA compliance is required.
Note: If in the situation above, the employer’s access (as plan sponsor) to PHI was limited to what it received from employees who requested help getting various medical bills/claims paid, the employer, according to the preamble of the HIPAA privacy rules, would not be covered by HIPAA.
Situation No. 3. An employer sponsors a fully insured group health plan and does not get involved with the administration of the plan. Specifically, the employer does not receive PHI of any employee or other plan participant. Nevertheless, the employer does offer a health care flexible spending account (FSA).
Is the employer required to comply with HIPAA by virtue of the fully insured group health plan? Is the employer required to comply with HIPAA by virtue of the FSA?
Compliance answer. The employer would not need to comply with HIPAA’s privacy rules due to the fully insured group plan it sponsors since the employer, as plan sponsor, would not receive PHI in its role as plan sponsor. The insurance company would make all decisions and receive PHI and, therefore, the insurer—not the employer—would need to comply with HIPAA’s privacy rules.
However, due to the sponsorship of the FSA, the employer in this example would be required to comply with the somewhat onerous compliance obligations of HIPAA. The failure to recognize the application of HIPAA to FSAs is a common mistake.
It also is worth noting that the fact that insurers and health care providers are subject to HIPAA’s privacy rules may affect employers in other ways, albeit less directly: Providers cannot share an employee’s PHI with anyone, other than the employee, unless the employee permits it; unless disclosure is required by law; or unless disclosure is required for treatment, billing or administration. As a result, employers may have more difficulty obtaining medical information for employment-related purposes such as certifying family leave, documenting sick leave or establishing the need to accommodate an employee under the Americans with Disabilities Act (ADA).
Situation No. 4. HR and benefits employees administer a company’s short- and long-term disability plans, as well as the workers’ compensation program. In administering the plans, employees come into contact with identifiable medical information of other employees.
Is the employer subject to HIPAA due to the administration of the disability and workers’ compensation programs?
Compliance answer. Disability plans are not considered covered group plans, so the employer would not be subject to HIPAA’s privacy rules. That is true even if employees who administer the short- and long-term disability plans come in contact with identifiable medical information.
Also, HIPAA’s privacy rules do not apply to workers’ compensation insurance, so the employee involvement in administering the workers’ compensation plan is not problematic with regard to HIPAA.
Note: Accidental death and dismemberment insurance, liability insurance (such as auto insurance) or any other insurance benefits where medical benefits are incidental to the primary benefit are not subject to HIPAA.
Of course, even though the medical data in this situation is not covered by HIPAA, the employer should severely restrict its disclosure in an effort to protect its confidentiality. Employers that fail to take these steps run the risk of liability under not only the ADA, but also the common law privacy tort of “Public Disclosure of Private Fact.”
Situation No. 5. An employer subjects all employees and job applicants to drug testing. The employer uses the results of the tests to make hiring and other employment decisions.
Is the employer subject to HIPAA privacy rules due to the fact that it receives the test results?
Compliance answer. The results of drug tests would most likely be considered employment records, not PHI. Medical information that is part of an employment record is specifically excluded from the definition of PHI and, therefore, the employer is not obligated to comply with HIPAA.
However, the lab or testing facility, which would be subject to HIPAA, may require the employer to get forms signed by applicants and employees authorizing the release of their test results to the employer.
Situation No. 6. An employer in the manufacturing business has a small on-site health clinic and counseling center for employees. The clinic and center transmits PHI electronically in connection with billing and other functions.
Is the employer subject to HIPAA’s privacy rules?
Compliance answer. Yes. Compliance with HIPAA is required due to the employer’s role as a health care provider that transmits PHI in electronic form in connection with financial or administrative transactions.
However, most employers that provide medical services as a subsidiary of their main function (in this case, manufacturing) will not be covered in their entirety by HIPAA. Rather, employers can limit the application of HIPAA’s privacy rules to those departments or offices that actually generate, use or maintain PHI.
If the employer’s only HIPAA-covered function is its counseling center or on-site clinic, the employer may declare itself a hybrid entity, designate the counseling center or clinic as its health care component, and ensure that the health care component complies with HIPAA.
If an employer is a hybrid entity for HIPAA purposes, then disclosures from the covered function within the organization (the clinic or counseling center) to a non-covered function (all other functions or departments) are treated as disclosures to someone outside of the employer.
In other words, for HIPAA purposes, non-covered functions of the employer are treated as a separate legal entity. Firewalls must be established between the covered functions and non-covered functions. While the hybrid entity concept generally applies only to health care providers, it does not apply to health care plans. The plan is a covered entity. However, to limit the scope and impact of HIPAA, the employer can designate as a separate entity those functions or individuals—such as the HR department—that are responsible for HIPAA compliance for covered plans. When this occurs, training and other HIPAA requirements will apply only to the employees and departments dealing with PHI.
Clearly, coverage determinations are difficult, and extensive HIPAA knowledge is necessary to make informed coverage determinations. Therefore, depending on your organization’s role as plan sponsor or provider, the types of plans your organization sponsors, your organization’s exposure to PHI from the plan, and the other factors mentioned above and within the HIPAA rule, employers may have to comply with a variety of HIPAA’s privacy provisions, including some or all of the following:
In addition to fulfilling the steps above, some employers will have to meet additional security standards, transaction standards or both. Security standards apply to employers that sponsor health plans and transmit or maintain health plan data electronically. Transaction standards apply to certain employers that sponsor health plans, transmit health plan data electronically and have on-site medical clinics or pharmacies.
It’s Not Too Late
The compliance clock is ticking. In fact, the alarm bell has been ringing for weeks. The time for compliance is now. Your company cannot afford to wait. The civil and criminal penalties for violating HIPAA’s privacy regulations can be significant. Civil penalties can be assessed up to $100 per day per violation (up to $25,000 per violation per calendar year). In addition, criminal penalties may be assessed against any person who knowingly misuses PHI.
While HIPAA does not permit individuals to pursue a private course of action, it does allow individuals to submit complaints to the Department of Health and Human Services Office for Civil Rights, who will investigate and, if necessary, access fines.
Don’t get caught without the proper HIPAA privacy protections in place—compliance is achievable.
Author’s Note: This article is not intended to be legal advice but is intended as general guidance.
Jodi Plavner is a partner in the Employment Services Department of Wolf, Block, Schorr and Solis-Cohen LLP in Philadelphia. Her practice focuses on compliance, counseling, training and policy development with regard to issues such as HIPAA, OSHA, FLSA, ADA, FMLA, performance management, harassment/discrimination, hiring and recruitment, and substance abuse.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Join SHRM's exclusive peer-to-peer social network
SHRM’s HR Vendor Directory contains over 3,200 companies