Do the Recent Changes to HIPAA Impact Employers?

Kegler Brown E-mployment Alert

The Omnibus Rule, effective in March of this year, represents many changes to the Health Insurance Portability and Accountability Act (HIPAA). With these changes, there have been questions about whether employers need to be concerned about complying with the privacy and security requirements of HIPAA. The general answer is "no".

HIPAA requires “covered entities” and “business associates” to comply with certain security and privacy requirements to protect the confidentiality of protected health information (PHI). Covered entity means: (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA. A health plan means an individual or group plan that provides or pays the cost of, medical care.

An employer is not typically a covered entity as defined by HIPAA. Even if an employer sponsors a health plan, the health plan is still its own entity and requires its own compliance program. To the extent that an employer administers the health plan (as opposed to an insurance company administering the plan), then it will need to have a compliance program which includes limiting the access of PHI only to those employees designated to act on behalf of the plan.

The Omnibus Rule expanded the definition of a business associate to include any person who, on behalf of a covered entity creates, receives, maintains or transmits PHI. Expressly excepted from this definition is a plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that certain requirements are met. Generally, a group health plan may disclose summary health information to the plan sponsor, if the plan sponsor requests the summary health information for purposes of obtaining premium bids from health plans for providing health insurance coverage under the group health plan, or modifying, amending, or terminating the group health plan. As a prerequisite for these disclosures, the plan documents must establish the permitted and required uses and disclosure of the information by the plan sponsor and the plan sponsor must agree to a number of provisions as enumerated in HIPAA (as recently modified by the Omnibus Rule).

An exception to the general rule may be present if an employer operates a health clinic that is available to its employees, provides a self-insured health plan for employees or acts as an intermediary between its employees and health care providers, then the employer may have access to PHI in a manner that requires a HIPAA compliance program in place.

Finally, it is important to note that HIPAA does not extend to employment records, even if information in those records relates to an employee’s health. You should remember, however, that other privacy laws may protect these records.

If you have questions about the application of HIPAA to your particular situation, please call the health care lawyers at Kegler Brown Hill & Ritter.