The HIPAA Privacy Rule is one of the most complex pieces of legislation affecting the healthcare sector. Because of its objectives to give some uniformity to how individually identifiable personal information is secured across many different use case, the language included in the HIPAA Privacy Rule is “non-specific” and therefore open to a number of interpretations.
Efforts have been made to summarize the HIPAA Privacy Rule in a way that clearly outlines who is covered by the legislation and how it should be applied. Sadly, because of its complicated nature, most summaries do not adequately address the question as to how does HIPAA apply to employers?
The HIPAA Privacy Rule clarifies the 18 elements of individually identifiable health information that required protecting from unauthorized sharing and labels them as “Protected Health Information”. Many of these elements are data that would – for example – be given to an employer’s HR Department when a new worker starts a job. So, under that summarized interpretation, the address to the question “Does HIPAA Apply to Employers”, would be “yes”.
However, Protected Health Information is only covered by HIPAA if it is implemented in order to communicate information about an individual’s past, present or future medical state, the provision of healthcare to an individual, or the payment for the provision of healthcare. Therefore, if a worker handed over their individually identifiable health information to an employer’s HR Department, and it was never used for any of these reasons, HIPAA no longer is applicable to employers.
Additionally, one factor often missed in summaries of the HIPAA Privacy Rule is that, in order for a “Covered Entity” to be subject to the legislation, the purpose of creating, using, storing or sending Protected Health Information has to be a HIPAA-covered transaction. HIPAA-covered transactions include (but are not restricted to):
- A request for payment from a healthcare group to a health plan accompanied by supporting documentation.
- A review from a healthcare provider regarding the eligibility of an individual to receive treatment.
- A request to a health plan to send a client to another healthcare provider (and the health plan´s response).
- The sending of either of the following from a health plan to a healthcare supplier: (1) Explanation of benefits. (2) Remittance advice.
For more guidance about what qualifies as a HIPAA-covered transaction, please refer to 45 CFR Part 2, particularly §§ 162.1101 to 162.1801.
There are times in which employers are subject to HIPAA in relation to safeguarding the confidentiality, integrity and security of Protected Health Information. These instance may be few and far apart; but, when they happen, it is vital employers are aware of their compliance obligations.
HIPAA does not stop an employer from revealing the birth of a child to the parent’s workplace colleagues, but it will likely apply if an employer manages a self-insured health plan or acts as an intermediary in a high-deductible, consumer-directed health plan. Firms still unsure about how HIPAA applies to Employers should seek professional advice relevant to their specific situations.