How does HIPAA’s privacy regulation impact employers?

HIPAA does not require that covered entities obtain patient consent for any use and disclosure of protected health information (PHI) for purposes of treatment, payment, and health care operations (TPO). But for most other uses and disclosures of PHI, covered entities must obtain a HIPAA-compliant authorization from the individual.

HIPAA also requires that when a covered entity uses or discloses PHI, it make reasonable efforts to limit the information used or disclosed to the minimum necessary to accomplish the intended purpose for the use or disclosure.

Covered entities. Under HIPAA's privacy regulation, covered entities include health plans (including employer-sponsored plans), health care clearinghouses, and health care providers. Dental and vision plans are not excepted under the HIPAA privacy regulation. Healthcare flexible spending accounts (FSAs) and cafeteria plans are covered as well to the extent they meet the definition of an employee welfare benefit plan under ERISA and pay for medical care, unless they have fewer than 50 participants and are self-administered.

While employers are not usually considered covered entities, an employer that is a plan sponsor will have to comply with some of HIPAA's privacy rules in order to receive any PHI that it may need.

Thus, employers who sponsor ERISA health plans (especially those that self-insure or self-administer their plans) are subject to the rules because ERISA plans are separate legal entities from the employer. Therefore, the component of the employer charged with operating the plan is a covered entity. Employers offering group health plans solely using insurance company products and HMOs are largely exempted, if they do not create or receive any protected health information (PHI), other than summary health information and enrollment information.

Protected health information. PHI is defined as all individually identifiable health information transmitted or maintained by a covered entity, whether communicated electronically, on paper, or orally. Not all medical information kept by a company is protected PHI. Whether it is protected depends on whether an entity creates or receives the information in its role as an employer or in its role as a group health plan, and thus as a covered entity.

Indirect impact. Even if a particular employer is not considered a covered entity, the privacy regulation is likely to have some impact. For example, employers must obtain special authorization from employees when they seek to gain access to employee information that is considered PHI. This can affect an employer's procedures for fitness-for-duty physicals, sick leave administration, FMLA, ADA accommodations, etc.