Throughout the text of the Health Insurance Portability and Accountability Act (HIPAA) a lot of content connects HIPAA law and employers. From the exclusions to guaranteed health plan renewability in Title I to the conditions for deducting loan interest on life insurance plans in Title V, there are plenty of HIPAA laws for employers to comply with.
However, the most complex areas of HIPAA compliance for employers are the Administrative Simplification Regulations in Title II. These Regulations include the Privacy, Security, and Breach Notification Rules; and while these Rules are regarded as only being applicable to Covered Entities, there are standards some employers who are not HIPAA Covered Entities may have to comply with.
When is an Employer a HIPAA-Covered Entity?
Generally, an employer is a HIPAA Covered Entity when the employer is a health plan, a healthcare clearinghouse, or a healthcare provider that conducts electronic transactions for which the Department of Health and Human Services (HHS) has published standards. The standards for electronic transactions which qualify an employer as a HIPAA-Covered Entity appears in CFR 45 Part 2.
There are exceptions to this definition of a HIPAA Covered Entity, and it is possible for an employer who does not qualify as a Covered Entity to be “involved” in covered transactions if – for example – they act as an intermediary between an employee, a healthcare provider, and a health plan. Additionally, an employer that self-administers a health plan with fewer than 50 participants is not considered to be a Covered Entity under HIPAA unless it qualifies as a healthcare provider.
Employment Records, HIPAA Law, and Employers
One potentially confusing area of the Administrative Simplification Regulations relates to employment records, HIPAA law, and employers. This is because the definition of individually identifiable health information in §160.103 includes “information collected from an individual or created or received by a health care provider, health plan, employer, or health care clearinghouse.”
However, the definition of Protected Health Information (also in §160.103) excludes “employment records held by a Covered Entity in its role as an employer.” This exclusion applies to individually identifiable health information an employer might receive and maintain in an employment record to explain – for example – the reason for a leave of absence due to sickness or an injury.
Potential Privacy Issues with the Requirements
But what about other types of individually identifiable health information an employer might collect, create, or receive? For example, under §164.512, Covered Entities are allowed to disclose Protected Health Information to enable employers to comply with state and federal accident notification laws such as the Occupational Safety and Health Administration’s injury and illness recordkeeping and reporting requirements.
There is no requirement under HIPAA for employers to keep Protected Health Information of this nature secure (although state privacy and security laws may apply), and Covered Entities have no control over how it is further used or disclosed by the employer. This raises potential privacy issues if an employer not subject to state privacy and security laws fails to secure the information.
A Solution to Address Potential Privacy Issues
Whether an employer qualifies as a Covered Entity or not, one way to address potential privacy issues for individually identifiable health information not protected by HIPAA is to adopt a model of “voluntary partial compliance”. This involves implementing safeguards similar to those required by HIPAA to maintain the privacy and security of individually identifiable health information.
For organizations unfamiliar with these safeguards, a good place to start is by downloading a HIPAA Compliance Guide. Thereafter, if questions remain about how best to maintain the privacy and security of individually identifiable health information, it is recommended that employers seek advice from a HIPAA compliance professional.
The post HIPAA Law and Employers appeared first on HIPAA Journal.