Does HIPAA Apply to Employers? Understanding Your Responsibilities

Does your organization have obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)? If so, you'll need to thoroughly understand the current HIPAA law and employers must be aware of the necessary steps to protect employees' personal health information.

What Does HIPAA Stand For?

HIPAA is the acronym for the Federal law known as the Health Insurance Portability and Accountability Act of 1996.

What Is HIPAA Law and What Does HIPAA Protect?

According to the U.S. Department of Health and Human Services (HHS), HIPAA permits the sharing of necessary information to ensure individuals receive access to high-quality healthcare, while also protecting their right to privacy. Any provider or company with access to protected health information (PHI) must implement measures to comply with HIPAA.

Does HIPAA Apply to Employers?

In most cases, HIPAA does not apply directly to employers.

The law governs health plans, healthcare providers, and clearinghouses, not businesses in their role as employers. However, if an employer sponsors a group health plan or directly handles PHI from that plan, specific HIPAA requirements may come into play.

Knowing which parts of HIPAA apply and which do not helps employers identify potential risks and handle employee health information correctly.

What Are Some Misconceptions About HIPAA Laws and Rules?

There are some myths about HIPAA laws and rules for employers.

The HHS sets the record straight on its site that HIPAA doesn't:

• Prevent an employer from asking for a doctor's note for an absence, although this practice may create other risks for employers.
• Affect your ability to request information needed to administer benefits programs, such as healthcare coverage, workers' compensation claims, or sick leave. However, employers should consider other risk factors around these types of requests and records.
• Cover all employee benefit information. For example, employee life insurance, disability, workers' compensation, and wellness programs are generally not covered under HIPAA.
• Cover protection of data maintained in employment records. HIPAA rules for employers only apply to medical or health plan records of employees participating as members of the company's healthcare plan.

What Are Some Examples of Employer HIPAA Violations?

Reported violations often fall into these categories:

• Hacking/IT Incidents: Unauthorized data access caused by malware or other system intrusions.
• Theft or Loss: When laptops, phones, or other devices containing protected health information are lost or stolen.
• Unauthorized Access or Disclosure: Sharing an individual's health information with someone who does not have the right to receive it.
• Improper Disposal: Discarding records without safeguards, such as failing to shred paper files or securely wipe electronic media.

What Is the Purpose of HIPAA Laws and Rules in the Workplace?

HIPAA compliance creates additional obligations for an employer managing benefits and employee data. The right tools and support let you concentrate on running your business without worrying about compliance gaps.

Which Organizations Are Impacted by HIPAA Law?

Two types of organizations are subject to HIPAA: covered entities and business associates. Employer-sponsored health plans are considered covered entities under the law. This means that the exchange of information between employers and health plans may be subject to additional safeguards compared to other benefit plans.

What Is a Covered Entity Under HIPAA?

HIPAA covers healthcare providers, hospitals, employer-sponsored health plans, pharmacies, and related organizations.

What Are Business Associates Under HIPAA?

A business associate is a person or organization that performs services for a covered entity or another business associate. When those services require access to PHI, the business associate becomes subject to HIPAA requirements.

Common examples of business associates include:

• Service Providers: Accountants, billing companies, or claims processors who handle PHI.
• Consultants: Compliance or benefits advisors who access employee health information.
• Technical Support Vendors: Cloud storage providers, IT contractors, or data management companies that maintain PHI.
• Third-Party Administrators: Organizations that help employers manage group health plans.

If an employer sponsors a group health plan and relies on outside vendors to run it, the employer must make sure those vendors sign business associate agreements and follow HIPAA rules.

How Employers Can Become HIPAA-Compliant

Although HIPAA's primary intent is to improve the portability and continuity of healthcare insurance plans, employers should be familiar with the law and potential areas that may affect them. HIPAA compliance for employers can often result in stronger data security and standardized processes that improve an employer's benefits administration procedures. To get started, it helps to understand the five key HIPAA rules that outline these responsibilities.

Five Important HIPAA Rules for Employers

There are five regulations to pay close attention to regarding HIPAA law. Employers should consider each of these rules carefully when it comes to compliance.

1. Privacy and Personal Health Information Rule (45 CFR § 160 and 45 CFR §164, Subparts A and E)

HIPAA defines PHI broadly. Examples include demographic and contact details such as name, address, and Social Security number that relate to an individual's past, present, or future health status. PHI also covers information about payments made for health care services.

HIPAA specifies with whom PHI may be shared. In most cases, covered entities and business associates can disclose PHI only:

• To the individual for treatment, billing, and healthcare operations
• To descendants in the case of death
• To a designated personal representative
• In response to a court order

Covered entities are required to give notice of their privacy practices, state how PHI may be used or shared, and follow specific rules about the content and timing of that notice. If they fail to do so, or if PHI is disclosed improperly, penalties can be imposed of up to $50,000 for each violation, with an annual cap of $1.5 million.

2. Electronic Security Rule (45 CFR § 160 and 45 CFR §164, Subparts A and C)

This electronic security rule requires covered entities and business associates to implement physical, technical, and administrative safeguards to protect electronic PHI (ePHI). Organizations must take reasonable steps to prevent unauthorized access, protect against threats, and ensure that their workforce complies with security standards.

As with the privacy rule, breaches of the security rule carry strict penalties. Violations can result in fines of up to $50,000 for each offense, with a yearly cap of $2.1 million depending on the violation. The financial impact often goes beyond the government penalties. Companies may have to cover legal defense and settlements, pay for breach investigations and technology fixes, deal with lost business, and repair the damage to their reputation.

3. Breach Notification Rule (45 CFR §§ 164.400-414)

Under this rule, covered entities and business associates are required to report any breach that compromises an individual's protected health information. In the event of a breach, proper notification must be made to affected individuals, and the covered entity must submit copies of the notifications to the Secretary of the HHS.

4. Administrative Simplification Regulation (45 CFR 160, 45 CFR 162, and 45 CFR 164)

The administrative simplification provisions standardize the electronic exchange of healthcare information. National standards were set for electronic transactions, code sets, and unique identifiers. Employers must use their Employer Identification Number for tax reporting as their identifier for all HIPAA transactions.

5. Omnibus Rule (45 CFR § 160, Subparts C, D, E; 162; 164, Subparts A, C, D, E)

The omnibus rule expanded liability for business associates and instituted greater penalties for noncompliance. Additional rules prevent certain information from being shared about an employee's health plan when they pay for medical services out-of-pocket. Companies that are defined as business associates need to understand their responsibilities.

How Does HIPAA Apply to Employers During Events Causing Public Health Concerns?

While HIPAA requirements still apply during public health emergencies, employers may be permitted to disclose PHI to certain individuals or organizations without an employee's or patient's permission. Such examples include:

• At the direction of public health authorities, information may be disclosed to foreign government agencies
• Individuals at risk of spreading the disease
• A patient's family members, relatives, friends, or others involved in the patient's care

Although HIPAA restricts the sharing and use of personal health information by covered entities and business associates, the law doesn't apply to employment records. Using COVID-19 as an example, the current HIPAA regulations do not prohibit employers from requesting vaccine information from employees.

Additionally, HIPAA doesn't prevent individuals from voluntarily sharing their vaccination status in the workplace, as they are not considered covered entities.

Employers should note that other state or federal rules may apply.

HIPAA Compliance in the Workplace

HIPAA compliance for employers is critical, whether they are a covered entity or business associate, offer a group health plan, or are operating during a public health emergency. Proactively addressing HIPAA may yield additional benefits for your organization, such as enhanced data security and a more efficient flow of information stemming from the use of standardized procedures and data identifiers.

If your business operates in the healthcare space or contracts with a company that does, it is essential to determine your HIPAA obligations and associated risk exposure. An experienced HR professional or business attorney can help you map the risks, as well as develop and implement a plan to stay HIPAA-compliant.