The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that was enacted to ensure protection of individuals' protected health information (PHI). The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) issued by the U.S. Department of Health and Human Services established detailed national standards for the protection of PHI. In general, HIPAA protects individuals from the unauthorized use or disclosure any PHI.

What does this have to do with employers? Well, most employers know that they almost always possess some health-related information on their employees. This type of information can be found in the context of things such as workers' compensation claims, fringe benefit administration, and administration of leave and absenteeism policies. Accordingly, employers should be rightfully concerned about their compliance with HIPAA's Privacy Rule. However, for once, this newsletter is going to deliver some relatively good news to HR managers and in-house counsel.

First Piece of Good News: The HIPAA Privacy Rule only applies to "Covered Entities," which are defined by the regulations as: (1) a health plan; (2) a health care clearinghouse; and (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. The rules also apply to "Business Associates," which are vendors that provide services involving PHI for or on behalf of Covered Entities. Under this definition, Covered Entities includes health plans, health care clearinghouses, and health care providers. Thus, the Privacy Rule WILL apply to employers if they somehow operate as a health plan, a health care clearing house, or a health care provider or are providing certain services on their behalf. Most other employers will not be "Covered Entities." As a result, employers providing health coverage to their employees through a health insurance policy will generally not be responsible for HIPAA compliance, because the insurance company is the covered entity (it is considered the health plan) and will be required to comply with HIPAA. In these cases, the employer may subject itself to HIPAA if it affirmatively chooses to receive PHI from the insurer, but this is rare.

Caution for Self-Insured Plans: The story is different, however, for those employers who sponsor health plans on a "self-insured" basis (i.e., the employer does not enter into a health insurance contract, but instead pays for the health benefits out of the employer's general assets and typically engages a service provider to administer claims). While the employer is still not considered a "Covered Entity," the employer becomes the entity responsible for the health plan's HIPAA compliance when the plan is not fully insured by an insurance company. Such employers may contract out most of the HIPAA obligations to a service provider, but they will still have some HIPAA responsibilities, and their employees are much more likely to have access to PHI.

Second Piece of Good News: Most of the information contained in an employer's personnel files and records is not PHI. The regulations state that "Protected health information excludes individually identifiable health information ... in employment records held by a covered entity in its role as an employer." Thus even the information held in employment records by health care institutions is generally not governed by HIPAA.

Third Piece Of Good News: Inquiring HR managers who have read this far are thinking "OK, but what about workers' compensation claims? I get a lot of detailed medical information on my claimant employees. That has to be protected." Here too the Privacy Rule gives employers a break. The rule recognizes that employers, along with their workers' compensation insurers and claims administrators, have a legitimate need to access detailed medical records in order to efficiently administer the workers' compensation system. In many cases, the Privacy Rule allows Covered Entities, those actually providing the medical treatment to your injured employees, to disclose treatment information without violating HIPAA.

The fact that the information you maintain in employment records about your employees is not necessarily regulated by HIPAA should not be the basis for ignoring employees' legitimate privacy concerns. Employers may be subject to various state privacy laws, which afford different and additional protections to employees than does HIPAA. Additionally, employers may have to deal with a knowledge gap in that many employees firmly, but wrongly, believe they are entitled to HIPAA protection over their workplace medical records. This is a complicated and constantly evolving area of the law, so employers should consider taking the following steps:

  • Understand whether the employer has heightened HIPAA obligations, for example, if the employer maintains a self-insured group health plan, and confirms that appropriate policies, procedures, and training programs are in place.
  • Develop policies and procedures to secure what employees believe are their confidential medical records. Train your management as to what they can ask and what they would be better off not asking. It may not be PHI, but that doesn't mean you want TMI (Too Much Information). TMI is information you don't really need to make appropriate management decisions. The fact you have TMI can be used by an employee to make out the elements of a discrimination claim.
  • Even though not necessarily PHI, it's a best practice when asking your employees to provide any medical information — be it to administer leave, fringe benefits, or workers' compensation — to get a properly drafted release and consent from the employee.
  • Whenever an outside party seeks to obtain medical information from your files, such as when your organization is served with records subpoena, get competent legal advice.

While this article presents most good news for HR managers, laws regulating the privacy of medical records are complicated and ever-evolving; so be sure to stay abreast of the latest developments and seek the counsel of appropriate experts.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.