Employers – especially those not involved in the health care industry – may not be aware they could be considered “covered entities” under the Health Insurance Portability and Accountability Act (HIPAA) and thus subject to its privacy rules.
Now is the time for any employer handling protected health information to have an assessment performed to determine if they are subject to HIPAA.
Most employers that provide self-funded or self-administered health insurance benefits to their employees are considered covered entities and must comply with HIPAA privacy rules. This includes many employers with self-funded plans, even if a third-party administrator is utilized (although there is an exception for plans with fewer than 50 participants).
In addition, employers may be covered entities if they provide certain wellness programs, employee assistance programs, medical reimbursement accounts, or on-site clinics (if operated by the employer).
Similarly, an employer may be considered a “business associate” of its insurance provider if it receives protected health information while performing services for the insurance provider or another covered entity. These employers will need to manage their relationships with benefit administrators through business associate agreements.
Protected health information generally means health information about identifiable individuals that:
- is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- relates to the physical or mental health or condition of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual.
Employers exempted from HIPAA:
If an employer receives protected health information solely in its role as an employer, it is not subject to HIPAA. Such protected health information may be related to the Family and Medical Leave Act, worker’s compensation claims, life and disability insurance, or medical information relating to the ability of an employee to perform duties required for employment. Employers with self-funded or self-administered plans with fewer than 50 participants.
September 23 is the deadline for most action items under the final HIPAA regulations, so there is a renewed urgency for employers to evaluate whether a business is subject to HIPAA. If an assessment determines an employer is a covered entity or business associate under HIPAA, it must comply with requirements of HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
For example, if an employer is determined to be a covered entity, it must:
| • | perform a risk assessment; |
| • | have a written privacy policy; |
| • | update and distribute a notice of privacy practices; |
| • | have privacy rules in place; |
| • | train the workforce of individuals who have access to protected health information; and |
| • | have forms and policies in place for complying with participant requests for restrictions on the use of protected health information and for providing copies of protected health information to others. |
Covered entities must also identify and have agreements with business associates who have access to protected health information.
Both covered entities and business associates must be cognizant of the obligation to report breaches of protected health information under HIPAA and HITECH.
New breach penalties are higher and U.S. Department of Health and Human Services has become more aggressive in its enforcement. Penalties may range from as low as $100 per violation to as high as $50,000 per violation, up to a maximum penalty of $1.5 million dollars per year, depending on the circumstances and nature of the violations. Covered entities that suffer a breach and have not taken appropriate steps to comply with the rule will be more severely penalized.
