We are often asked why employers should worry about being HIPAA compliant when HHS says that employers are exempt from HIPAA Privacy & Security rules.
It is true that employers are exempt but the group health plans that they sponsor must be compliant. Your HR department is the administrator of your health plan, and these staff members are required to be HIPAA compliant because of the PHI they come in contact with as part of their daily duties.
Where’s the Line?
As you may have discovered, when a company needs to be compliant with HIPAA is a nuanced issue. First, your health plan is defined as a Covered Entity by HHS. Health plans are required to be compliant with both the Privacy and Security HIPAA Rules.
Although your health plan and your company are considered separate legal entities, there is no way to create a clear line between the plan and the company representative who administers the plan. The company is responsible for administering the plan, thus the administrator will come in contact with PHI.
The administrator is wearing two hats: (1) their work as an employee of the company, and (2) as a plan administrator for the group health plan. You can take one hat off and be the plan administrator, and then put on the employer’s employee hat, but you are still the same person. Changing your hat doesn’t draw a clear separation. Thus the plan and the company wind up mixed together in the eyes of regulators because the employer’s exemption does not apply to group health plan functions performed by the employer’s employees. You are effectively viewed as one entity and must meet HIPAA requirements.
There are other parts of the law that you may read about that require interpretation. HIPAA describes some companies as a “Hybrid Entity.” This means that they have parts of the business that have to be HIPAA compliant, and parts that don’t. These are most often institutions like colleges or universities that also have student health centers or other medical functions.
The Privacy Rule HHS information released in 2004 stated there are situations when a company health plan does not need to implement HIPAA.
What HIPAA Says About the Exception for Health Plans-
§ 164.530Administrative requirements.
(k) Standard: Group health plans. (1) A group health plan is not subject to the standards or implementation specifications in paragraphs (a) through (f) and (i) of this section, to the extent that:(i) The group health plan provides health benefits solely through an insurance contract with a health insurance issuer or an HMO; and (ii) The group health plan does not create or receive protected health information, except for:(A) Summary health information as defined in § 164.504(a); or (B) Information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan. 1
There are 2 things that your health plan has to have in place in order to qualify for this exemption.
- You have to provide benefits solely through an insurance contract with a health insurer or HMO. If any part of your plan is self-funded, your health plan does not qualify for this exemption.
AND
- Your plan must NOT create or receive any PHI, except for Summary Health information or if the employee has enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.
It’s important to note you must meet BOTH elements of this test in order to qualify for the privacy exemption. Collecting or coming in contact with even a little bit of PHI means that you lose these protections, and now you have to be compliant with HIPAA. Many companies lose these exemptions when employees reveal PHI or health information is shared with plan administrators: then the employer has a serious liability issue on their hands.
Places You Can Run into PHI:
- Employees self-reporting health issues
- Employees asking for help with submitting claims
- Enrollment forms
- Information on premium payments
- Claims issues
- Coordination of benefits
- High-dollar claim report, if the information can be used to identify the persons covered
It doesn’t matter what form the PHI is in: you could hear it, physically see or hold it, or receive in some electronic format (e.g. email or PDF). Once the plan administrator or executive of the company is in possession of it, the employer is required to protect that information and fully comply with both the Privacy and Security HIPAA Rules.
Information disclosed about a family member undergoing radiation therapy, the birth of a child, or other medical conditions shared by an employee with a plan administrator is PHI. Remember PHI is any health information with an identifier.
Another frequently raised question is whether just taking enrollment information will exempt a company from complying with HIPAA. Companies think they aren’t holding any PHI on their employees. The reality is, once they start looking at information known by the plan administrator, they realize they have all kinds of PHI and a serious liability issue.
At any point your health plan starts coming in contact with PHI, your Health Plan is required to:
- Adopt and implement written privacy policies and procedures that meet the requirements of the regulations, 45 C.F.R 164.503(i);
- Provide a notice of privacy policies and procedures to each participant, 45 C.F.R. 164.520;
- Train employees in the privacy policies and procedures, 45 C.F.R. 164.530(b);
- Appoint a Privacy Officer, 45 C.F.R. 164.530(a);
- Obtain authorization to use PHI for purposes other than payment and health care operations, 45 C.F.R. 164.508(a); and
- Disclose only the minimum necessary PHI, 45 C.F.R. § 164.502(b).
When you are done with Privacy, you need to understand the requirements for Security. There are no exemptions for the Security Law. If the plan administrator is sending information or enrollment forms to the carrier or insurance agent, that information is required to be protected in transmission, at rest or in storage. Your plan administrator needs security policies and procedures in place so they know how to protect any PHI they encounter. And then you must make sure that you have the breach rules covered with a process to communicate any disclosure of PHI to unauthorized third parties.
Real World Issues
Why is HIPAA Privacy and Security so important? Your employees entrust you with their personal and sensitive information, and they have a reasonable expectation that you protect what is in your possession. Beyond HIPAA, there are state laws and even some lawsuits that have been brought against carriers, employers and healthcare providers where they failed in their duty to protect that information.
A high profile case that we can point to is the Sony hack. Sony was sued by current and past employees, who recently settled for $8 million dollars.2 Imagine if a breach opened up the records that your HR office has on your employees. Recent estimates claim it takes up to $200 per employee to meet the notification requirements when there is a breach.
Most businesses are not prepared for the shocks that come with a breach, nor do they have a plan to protect their employees. This is why HIPAA compliance is so important and needs to be addressed by most employers.
If you are still convinced that HIPAA doesn’t apply to your health plan, we suggest consulting with your legal counsel to make sure they are in agreement.