Are employers covered entities under HIPAA law? Do employers need to have documentation of their HIPAA compliance?
The short answer is yes -if they provide group health insurance for their employees. HHS states that: A “group health plan” is one type of health plan and that this plan is a covered entity under HIPAA. The only exception is for plans with fewer than 50 participants.
So, let’s break this down. The term “Health Plan” has two definitions in the HIPAA law:
- A health insurance carrier that sells individual or group health, dental and/or vision insurance products.
- A group health plan, under ERISA, means any employee benefit plan that provides health, dental and/or vision benefits. The health plan is required to have documented policies and procedures for handling the PHI associated with it, so if Human Resources is managing the plan that means your company needs to be HIPAA compliant.
Under the ERISA regulatory schema, the idea of the Health Plan being separate from the employer is a critical element, but the courts have largely ignored this distinction since there is so rarely a different level of control from the employer vs. the health plan. So we’ve said that the difference between an employer and a group health plan is the difference between you wearing two hats. It’s still the same person under the hat, just like Clark Kent is still Superman, even if he is wearing a pair of glasses.
Employers come into contact, sometimes store, and a lot of times control an employee’s Protected Health Information, which is regulated under HIPAA. In order to be HIPAA compliant as an employer, you need to make sure that you have both Security and Privacy Policies and Procedures in place, and contracts with any business associates you use to store, transport or interact with that PHI.
A covered entity has business associates which are the health insurance agents, lawyers, accountants, IT contractors, paper shredding companies, email hosts, etc. It’s important to note that your company needs to have Business Associate Agreements in place with these support companies and individuals who will possibly see PHI. Keep in mind, these are not Business Associate Subcontractor Agreements. Covered entities don’t have subcontractors – they have business associates. It is your business associates that have subcontractors. By clicking the link above you can download a free template which we created. When selecting your “industry” choose Employer.
Another responsibility you have is to train your employees that come in contact with PHI. We offer HIPAA training and recommend you require any staff with access to PHI to take this training every year. HHS will look for confirmation of this training for every year dating back 6 years if they audit your company.
In conclusion, Privacy and Security of the PHI in your company’s health plan are very important, and there are stiff fines for your company if a breach happens and there is no plan in place. Make sure that your staff is trained and knows what their responsibilities are before they come in contact with PHI, and if you need help developing policies and procedures to prevent a breach and pass an audit make sure you reach out to our sales team and ask to learn about HIPAA Prime.
By Jason Karn
Google+
Linkedin
Total HIPAA specializes in HIPAA compliance services, helping businesses adhere to HIPAA guidelines and protect sensitive data. Our experts ensure your organization remains compliant with HIPAA regulations, meaning you can focus on your core operations while we handle documenting the policies and procedures that make up your HIPAA compliance plan. Trust Total HIPAA for comprehensive compliance solutions tailored to your needs. Book a clarity call today.
