The answer to the question does HIPAA apply to employers is complicated for, although the Health Insurance Portability and Accountability Act impacts around half of employers, only a small percentage of employers are required to comply with the Privacy, Security, and Breach Notification standards of the Administrative Simplification provisions.
According to a September 2022 report compiled by the Bureau of Labor Statistics, 70% of workers in private industry have access to an employer sponsored health insurance plan. The percentage gets smaller as the size of the business decreases (in terms of number of employees); so – as there are more smaller businesses than larger businesses – it is fair to say that around half of employers are impacted by HIPAA regulations relating to the portability and accountability of health insurance.
Therefore, in terms of the question does HIPAA apply to employers, the answer is “yes” if you ask the question in the context of HIPAA in general. However, when most people ask the question does HIPAA apply to employers, they are asking the question in the context of the Administrative Simplification provisions – and, more specifically, in the context of the Privacy, Security, and Breach Notification Rules. This is where the answer to the question gets more complicated.
Who Does HIPAA Apply To?
In the context of the Administrative Simplification provisions, HIPAA applies to “Covered Entities” – generally (but not always) health plans, health care clearinghouse, and healthcare providers that conduct electronic transactions for which the Department of Health and Human Services (HHS) has published standards. The electronic transactions and standards that qualify a healthcare provider as a Covered Entity can be found in 45 CFR Part 162.
In addition to Covered Entities, the Administrative Simplification provisions can apply to “Business Associates” – businesses that provide a service to, for, or on behalf of a Covered Entity. In all cases involving the collection, use, maintenance, or transmission of Protected Health Information, Business Associates are required to comply with the Security Rule. Which other provisions apply depend on the nature of the service being provided to, for, or on behalf of a Covered Entity.
Some Administrative Simplification provisions can also apply to businesses that do not qualify as either Covered Entities or Business Associates. For example, Medicare prescription drug card sponsors are required to comply with the standards of the Privacy Rule, while vendors of personal health devices and related entities are required to comply with the standards of the Breach Notification Rule. But how does HIPAA apply to employers covered by these rules?
What HIPAA Says about Employers
All employers collect individually identifiable information about employees (for example, for HR purposes), and when the information relates to an employee´s health, the information is classified as individually identifiable health information. When individually identifiable health information is maintained or transmitted by a Covered Entity (or another business subject to the Administrative Simplification provisions of HIPAA) it becomes Protected Health Information.
However, there are exceptions to the definition of Protected Health Information in 45 CFR §160.103 inasmuch as the definition does not apply to individually identifiable health information maintained in educational records, that relates to an individual who has been deceased for fifty years or more, or – importantly in the context of answering the question does HIPAA apply to employers – in employment records held by a Covered Entity in its role as employer.
This means that, for example, if an employee of a healthcare facility takes time off work because they are sick and gives their employer a sick note from a doctor, the sick note is not Protected Health Information because it is part of the employee´s employment record. However, if the employee´s condition deteriorates and they are treated by the healthcare facility, the record of the employee´s condition, treatment, and payment for the treatment is Protected Health Information.
How Does HIPAA Apply in this Scenario?
In this scenario, HIPAA does not apply to the healthcare facility in its role as an employer, but it does apply to the healthcare facility in its role as a provider of treatment. Consequently, any individually identifiable health information maintained in an employment record has to be kept separately from any individually identifiable health information relating to the employee´s treatment. Also, the employment record is not protected by HIPAA – although other state and federal laws may apply.
This is not the only scenario in which HIPAA applies to employers in their role as a Covered Entity, but not in their role as an employer. A number of employers administer self-insured health plans, and in this scenario, HIPAA regards the employer and health plan as two separate entities. However, because the employer has access to Protected Health Information maintained by the health plan, the employer is required by §164.504(f) to provide a certification (not unlike a Business Associate Agreement) that Protected Health Information will not be used for employment-related actions.
Other scenarios exist in which an employer can access Protected Health Information, and in these scenarios, HIPAA does apply to employers in respect of how Protected Health Information is further used or disclosed. For example, a healthcare facility is permitted to disclose the minimum necessary Protected Health Information about an employee´s condition to an employer subject to the employer only using or disclosing the information for one of the purposes allowed by §164.514(b)(1)(v) – such as evaluating whether the employee has a work-related illness or injury.
Does HIPAA Apply to Employers? Conclusion
While HIPAA impacts around half of employers, the Administrative Simplification provisions of HIPAA only apply to employers in certain circumstances. These include – but are not limited to – when a healthcare facility provides medical treatment for an employee, when an employer administers a self-insured health plan, and when an employer – who is not necessarily a Covered Entity – obtains Protected Health Information from a Covered Entity for a purpose allowed by the Privacy Rule.
If you – as an employer – are ensure about your HIPAA compliance obligations under the Administrative Simplification provisions of HIPAA, it is recommended that you seek professional compliance advice.