Employee Insurance: Hipaa Compliance?

Employee insurance enrollment data is not considered Protected Health Information (PHI) under HIPAA, and therefore employers are not subject to HIPAA compliance requirements. However, it is important to note that if the enrollment data is sent to an insurer, it likely becomes PHI and falls under HIPAA regulations. Employers who sponsor insured group health plans often mistakenly believe they are exempt from HIPAA privacy and security requirements, but in reality, many of them do have PHI or electronic PHI (ePHI). HIPAA defines PHI as individually identifiable health information, which includes demographic data relating to an individual's physical or mental health, past or future. While HIPAA does not apply to employee health information (EHI) obtained by employers from sources other than group health plans, such as medical information related to employment, other federal and state laws, such as the Americans with Disabilities Act (ADA), impose restrictions on access, use, and disclosure of EHI.

HIPAA applies to EHI related to employer's group health plans

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, applies to protected health information (PHI) of employees. However, its applicability to employee health information (EHI) is quite narrow. HIPAA only applies to EHI related to the employer's group health plans, such as medical, dental, employee assistance programs, and health flexible spending arrangements.

Employer-sponsored group health plans are considered HIPAA covered entities. This means that the exchange of information between employers and health plans may be subject to additional safeguards compared to other benefit plans. The group health plan is considered a separate legal entity from the employer or other parties that sponsor the group health plan.

HIPAA outlines specific restrictions on the use and disclosure of PHI. For example, it requires that covered entities protect patients' PHI by safeguarding PHI they hold and obtaining patient authorization before disclosing PHI. Additionally, it defines with whom protected health information can be shared. Covered entities and business associates can only share PHI in the following situations:

• With the person in question for treatment, billing, and healthcare operations
• With descendants in the case of death
• To a designated personal representative
• In response to a court order

It's important to note that HIPAA does not apply to EHI that the employer obtains from sources other than its group health plans. This includes medical information related to employment, such as pre-employment physicals, drug testing results, and medical leave, as well as information from other employment-related benefits that are not group health plans, such as life or disability insurance.

While HIPAA's applicability to EHI related to employers' group health plans is narrow, employers must still be aware of their obligations under HIPAA and ensure compliance with its rules and regulations to protect their employees' health information.

HIPAA doesn't apply to EHI obtained from a source other than group health plans

HIPAA, or the Health Insurance Portability and Accountability Act, applies to protected health information (PHI) held by covered entities. Covered entities include health care clearinghouses, certain health care providers, and health plans. A "group health plan" is one type of health plan and is a covered entity (except for self-administered plans with fewer than 50 participants).

The group health plan is considered a separate legal entity from the employer or other parties that sponsor the group health plan. Neither employers nor other group health plan sponsors are defined as covered entities under HIPAA. Thus, the Privacy Rule does not directly regulate employers or other plan sponsors that are not HIPAA covered entities.

HIPAA only applies to employee health information (EHI) related to the employer's group health plans, such as medical, dental, employee assistance programs, and health flexible spending arrangements. HIPAA does not apply to EHI that the employer obtains from a source other than its group health plans, such as medical information related to employment (including pre-employment physicals, drug testing results, medical leave, or workers' compensation) and information from other employment-related benefits that are not group health plans (e.g., life or disability insurance).

Enrollment and disenrollment data may become PHI once it is "touched" by the covered entity. For example, enrollment data is not PHI if employees enroll through the employer, but once the employer sends it to the insurer, it probably becomes PHI. If the insurer subsequently sends back the information so the employer can cross-check that enrolled individuals are current employees, the enrollment information coming back from the insurer to the employer is likely PHI.

Although HIPAA does not apply to EHI obtained from a source other than group health plans, other federal and state laws, such as the Family and Medical Leave Act (FMLA), Americans with Disabilities Act (ADA), and state workers' compensation laws, impose restrictions on the employer's access to, use of, and disclosure of this EHI. These laws also impose obligations to maintain the confidentiality of the EHI.

To summarise, HIPAA does not apply to EHI obtained from a source other than group health plans. However, other laws may protect this information, and employers should apply similar safeguards to all EHI to comply with these laws.

HIPAA doesn't apply to health information contained in employment records

HIPAA, or the Health Insurance Portability and Accountability Act, is a piece of legislation that sets national standards for safeguarding patients' health information. It primarily targets healthcare organizations.

HIPAA does not apply to health information contained in employment records. This is because HIPAA only applies to "covered entities," which are defined as: (1) health plans; (2) healthcare clearinghouses; and (3) healthcare providers that electronically transmit certain health information (and certain "business associates" of covered entities).

Even if an employer is a "covered entity," HIPAA still does not apply to health information they acquire in their roles as employers. This exclusion applies to enrollment and disenrollment information held by the employer. Such information is considered an employment record rather than PHI (Protected Health Information), as long as it does not include any substantial clinical information.

However, HIPAA does apply to an employer's request for health information from a covered entity. A covered entity may not disclose protected health information to an employer without the employee's authorization or as otherwise allowed by law. This is true even when the employee is also a patient or member of the covered entity.

In addition, while HIPAA does not cover the protection of data maintained in employment records, employers have other legal obligations to protect the confidentiality of employee health information in their possession. For example, the Americans with Disabilities Act (ADA) requires employers that obtain disability-related medical information about an employee to maintain it in a confidential medical file that is separate from the employee's personnel file.

Therefore, while HIPAA does not apply to health information contained in employment records, employers should be mindful of other legal obligations they may have to protect the confidentiality of employee health information.

HIPAA compliance is handled by the insurance company for a fully-insured group health plan

HIPAA compliance is a complex area of legislation, and it's important to understand the specific circumstances of a group health plan to determine how it applies. In the case of a fully-insured group health plan, the insurance company typically assumes the primary responsibility for HIPAA compliance. Here's an overview:

The Role of the Insurance Company

The insurance company plays a crucial role in ensuring HIPAA compliance for a fully-insured group health plan. A fully-insured plan is one where the plan sponsor, such as an employer or employee organization, contracts with an insurance company to provide health coverage for its employees or members. This means that the insurance company becomes the "covered entity" responsible for protecting the sensitive health information of the individuals enrolled in the plan.

Protected Health Information (PHI)

The insurance company must comply with the HIPAA Privacy Rule, which governs the handling of Protected Health Information (PHI). PHI is defined as individually identifiable health information, including demographic data, related to an individual's health status, health care provision, or payment for health care. It's important to note that even if a fully-insured plan has limited exposure to PHI, it is not exempt from all HIPAA Privacy Rule requirements.

Compliance Requirements

To ensure HIPAA compliance, the insurance company must implement administrative, physical, and technical safeguards. This includes conducting risk assessments to identify vulnerabilities and implementing suitable measures to protect electronic PHI. The insurance company must also comply with the Breach Notification Rule, which requires prompt notification to affected individuals and relevant authorities in the event of a data breach.

Plan Sponsor's Role

While the insurance company takes on most of the responsibility for HIPAA compliance, the plan sponsor also has certain obligations. The plan sponsor must ensure that the group health plan complies with HIPAA rules. Additionally, they must obtain a certification from the insurance company, stating that health information will be protected and not used for employment-related actions.

Employee Enrollment Data

Employee enrollment data can become PHI once it is shared with the insurance company. When the employer sends enrollment information to the insurer, it likely becomes PHI. This means that the insurance company must handle this data in accordance with HIPAA guidelines, ensuring its privacy and security.

Third-Party Administrators

In some cases, a fully-insured group health plan may use third-party administrators (TPAs) to manage certain aspects of the plan. These TPAs are considered "Business Associates" under HIPAA and must also comply with the relevant HIPAA rules. The plan sponsor is responsible for verifying that TPAs adhere to HIPAA Business Associate Rules and have the necessary agreements in place.

Compliance Challenges

HIPAA compliance for fully-insured group health plans can be challenging due to the dynamic nature of technology and changes in working practices. The insurance company must stay up to date with any amendments, guidelines, and companion rules issued by the Department of Health and Human Services to ensure ongoing compliance.

HIPAA doesn't apply to employers, but they have other legal obligations to protect employee health information

HIPAA, or the Health Insurance Portability and Accountability Act, generally does not apply to employers. HIPAA only applies to "covered entities," which include health plans, healthcare providers, and healthcare clearinghouses that electronically transmit certain health information. However, employers do have other legal obligations to protect the confidentiality of employee health information.

The Privacy Rule, for example, controls how a health plan or covered healthcare provider shares an individual's protected health information with an employer. While the Rule does not protect employment records, even if they contain health-related information, it does protect an individual's medical or health plan records if they are a patient of the provider or a member of the health plan. This means that if an employer asks a covered entity to disclose information about an employee's medical condition, HIPAA permits this only under certain circumstances or with the consent of the employee.

Additionally, other federal laws, such as the Fair Credit Reporting Act and the Fair and Accurate Credit Transaction Act, govern what employers can do with certain types of employee data. For instance, the Americans with Disabilities Act (ADA) requires employers who obtain disability-related medical information about an employee to maintain it in a confidential medical file separate from the employee's personnel file. This information can only be disclosed to specific individuals, such as supervisors and managers who need to know about necessary work restrictions or accommodations, and first aid and safety personnel in case of emergencies.

Similarly, the Genetic Information Nondiscrimination Act (GINA) mandates that employers treat genetic information they acquire as a confidential medical record in a separate file. While different rules govern the disclosure of genetic information, it can be maintained in the same confidential file as disability-related information.

Furthermore, state laws, such as the Oregon Consumer Identity Theft Protection Act, provide additional protections for personal identifying information and medical information in an employer's possession. Oregon employers are required to implement and maintain safeguards to protect the security and confidentiality of this data and report any data breaches.

In summary, while HIPAA generally does not apply to employers, they are still subject to various legal obligations to protect employee health information under federal and state laws. These laws ensure that employers maintain the confidentiality of employee health data, disclose it only under specific circumstances, and take necessary measures to safeguard it.

Frequently asked questions