Updated 2025: Looking for a Business Associate Agreement? Download our FREE template.

Free BAA Download
Total HIPAA Logo

Why an Employer Group Has to Be HIPAA Compliant

We are often asked why employers should worry about being HIPAA compliant when HHS says that employers are exempt from HIPAA Privacy & Security rules.

It is true that employers are exempt but the group health plans that they sponsor must be compliant. Your HR department is the administrator of your health plan, and these staff members are required to be HIPAA compliant because of the PHI they come in contact with as part of their daily duties.

Where’s the Line?

As you may have discovered, when a company needs to be compliant with HIPAA is a nuanced issue. First, your health plan is defined as a Covered Entity by HHS. Health plans are required to be compliant with both the Privacy and Security HIPAA Rules.

Although your health plan and your company are considered separate legal entities, there is no way to create a clear line between the plan and the company representative who administers the plan. The company is responsible for administering the plan, thus the administrator will come in contact with PHI.

The administrator is wearing two hats: (1) their work as an employee of the company, and (2) as a plan administrator for the group health plan. You can take one hat off and be the plan administrator, and then put on the employer’s employee hat, but you are still the same person. Changing your hat doesn’t draw a clear separation. Thus the plan and the company wind up mixed together in the eyes of regulators because the employer’s exemption does not apply to group health plan functions performed by the employer’s employees. You are effectively viewed as one entity and must meet HIPAA requirements.

There are other parts of the law that you may read about that require interpretation. HIPAA describes some companies as a “Hybrid Entity.” This means that they have parts of the business that have to be HIPAA compliant, and parts that don’t. These are most often institutions like colleges or universities that also have student health centers or other medical functions.

The Privacy Rule HHS information released in 2004 stated there are situations when a company health plan does not need to implement HIPAA.

What HIPAA Says About the Exception for Health Plans-

§ 164.530Administrative requirements.
(k) Standard: Group health plans. (1) A group health plan is not subject to the standards or implementation specifications in paragraphs (a) through (f) and (i) of this section, to the extent that:(i) The group health plan provides health benefits solely through an insurance contract with a health insurance issuer or an HMO; and (ii) The group health plan does not create or receive protected health information, except for:(A) Summary health information as defined in § 164.504(a); or (B) Information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan. 1

There are 2 things that your health plan has to have in place in order to qualify for this exemption.

  • You have to provide benefits solely through an insurance contract with a health insurer or HMO. If any part of your plan is self-funded, your health plan does not qualify for this exemption.

AND

  • Your plan must NOT create or receive any PHI, except for Summary Health information or if the employee has enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.

It’s important to note you must meet BOTH elements of this test in order to qualify for the privacy exemption. Collecting or coming in contact with even a little bit of PHI means that you lose these protections, and now you have to be compliant with HIPAA. Many companies lose these exemptions when employees reveal PHI or health information is shared with plan administrators: then the employer has a serious liability issue on their hands.

Places You Can Run into PHI:

  • Employees self-reporting health issues
  • Employees asking for help with submitting claims
  • Enrollment forms
  • Information on premium payments
  • Claims issues
  • Coordination of benefits
  • High-dollar claim report, if the information can be used to identify the persons covered

It doesn’t matter what form the PHI is in: you could hear it, physically see or hold it, or receive in some electronic format (e.g. email or PDF). Once the plan administrator or executive of the company is in possession of it, the employer is required to protect that information and fully comply with both the Privacy and Security HIPAA Rules.

Information disclosed about a family member undergoing radiation therapy, the birth of a child, or other medical conditions shared by an employee with a plan administrator is PHI. Remember PHI is any health information with an identifier.

Another frequently raised question is whether just taking enrollment information will exempt a company from complying with HIPAA. Companies think they aren’t holding any PHI on their employees. The reality is, once they start looking at information known by the plan administrator, they realize they have all kinds of PHI and a serious liability issue.

At any point your health plan starts coming in contact with PHI, your Health Plan is required to:

  • Adopt and implement written privacy policies and procedures that meet the requirements of the regulations, 45 C.F.R 164.503(i);
  • Provide a notice of privacy policies and procedures to each participant, 45 C.F.R. 164.520;
  • Train employees in the privacy policies and procedures, 45 C.F.R. 164.530(b);
  • Appoint a Privacy Officer, 45 C.F.R. 164.530(a);
  • Obtain authorization to use PHI for purposes other than payment and health care operations, 45 C.F.R. 164.508(a); and
  • Disclose only the minimum necessary PHI, 45 C.F.R. § 164.502(b).

When you are done with Privacy, you need to understand the requirements for Security. There are no exemptions for the Security Law. If the plan administrator is sending information or enrollment forms to the carrier or insurance agent, that information is required to be protected in transmission, at rest or in storage. Your plan administrator needs security policies and procedures in place so they know how to protect any PHI they encounter. And then you must make sure that you have the breach rules covered with a process to communicate any disclosure of PHI to unauthorized third parties.

Real World Issues

Why is HIPAA Privacy and Security so important? Your employees entrust you with their personal and sensitive information, and they have a reasonable expectation that you protect what is in your possession. Beyond HIPAA, there are state laws and even some lawsuits that have been brought against carriers, employers and healthcare providers where they failed in their duty to protect that information.

A high profile case that we can point to is the Sony hack. Sony was sued by current and past employees, who recently settled for $8 million dollars.2 Imagine if a breach opened up the records that your HR office has on your employees. Recent estimates claim it takes up to $200 per employee to meet the notification requirements when there is a breach.

Most businesses are not prepared for the shocks that come with a breach, nor do they have a plan to protect their employees. This is why HIPAA compliance is so important and needs to be addressed by most employers.

If you are still convinced that HIPAA doesn’t apply to your health plan, we suggest consulting with your legal counsel to make sure they are in agreement.

1. https://www.gpo.gov/fdsys/pkg/CFR-2003-title45-vol1/xml/CFR-2003-title45-vol1-sec164-530.xml
2. http://www.nbcnews.com/tech/security/sony-hack-lawsuit-settlement-could-cost-company-8-million-n447896

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2025

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document
Register for Webinar

Related Posts

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records
*This process is technical and requires access to your Domain Name Server (DNS). It’s recommended to have an IT professional handle these configurations to avoid potential issues. If you proceed yourself, back up your current settings with screenshots or copies before making any changes.
Organizations rely heavily on email for marketing and communication, making it a prime target for malicious actors. Phishing, spoofing, and other email attacks can inflict significant financial and reputational damage. In response to this growing threat, email providers are tightening their security measures, and businesses that aren’t paying attention risk having their emails blocked.
A recent announcement from Microsoft, highlighted in their Tech Community blog, highlights that Outlook is implementing stricter requirements for high-volume senders to protect users from unwanted and potentially harmful messages. This move serves as a clear signal: email authentication is no longer optional – it’s required for all organizations, regardless of their sending volume.
The key to making sure your emails reach their intended recipients is all in the configuration and alignment of your Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records. These protocols verify an organization actually sent the emails and tells receiving servers your messages are legitimate and shouldn’t be sent to spam folders or blocked.
What makes SPF, DKIM, and DMARC so crucial?
SPF (Sender Policy Framework): This record lists the authorized mail servers permitted to send emails on your behalf. When your email server receives an email, it checks it and verifies if the sending server’s IP address matches the list in your SPF record. This helps prevent attackers from spoofing your domain using unauthorized servers.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails. This signature is cryptographically linked to your domain and verified by the receiving server using a public key published in your DNS records. DKIM ensures the integrity of the email content and confirms that it hasn’t been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds upon SPF and DKIM. It tells receiving servers what to do with emails that fail SPF and/or DKIM checks. You can set policies to “none” (monitor), “quarantine” (send to spam), or “reject” (block). DMARC also enables reporting, allowing you to gain valuable insights into who sends emails using your domain and identify potential spoofing attempts.
Microsoft’s Stance: A Wake-Up Call
The stricter requirements being implemented by Outlook for high-volume senders emphasize the need for organizations to set up and review their authentication protocols. While the current focus is on high-volume senders, it is clear: email providers are looking for authenticated mail. Failing to correctly set up your DMARC, SPF, and DKIM records will lead to deliverability issues of emails.
What Your Company Needs to Do Now:
Regardless of size or email volume, every company should take the following steps to make sure its email authentication is configured correctly. Here’s a checklist:
Audit Your Existing Records: Check for existing SPF, DKIM, and DMARC configurations. Are they accurate and up-to-date?
Implement Missing Records: If you are missing any of these records, add them immediately. *Consult with your IT team or email service provider for guidance.
Check Alignment: It’s crucial to make sure there is alignment between your SPF, DKIM, and DMARC records. This means that the domain used for SPF and the signing domain in DKIM should match the “From” address domain in your emails. DMARC relies on this alignment to function effectively.
Start with a Monitoring Policy: For DMARC, it’s often best to start with a “none” policy to monitor how your emails are being handled and identify any legitimate sending sources that might not be properly authenticated.
Gradually Enforce Stronger Policies: Once you clearly understand your email flows and have addressed any authentication issues, move gradually towards stronger DMARC policies like “quarantine” or “reject” to protect your domain from spoofing actively.
Regularly Review and Update: The email landscape is constantly changing. Regularly review and update your authentication records as needed, especially when changing your emails or third-party sending services.
The Benefits of Proper Email Authentication:
Properly configuring and aligning your DMARC, SPF, and DKIM records offers significant benefits:
Improved Email Deliverability: Your legitimate emails are more likely to reach the inbox, avoiding spam folders and blocks.
Enhanced Brand Reputation: Protecting your domain from spoofing builds trust with your recipients and safeguards your brand’s reputation.
Increased Security: You significantly reduce the risk of using your domain for phishing and other malicious activities.
Compliance with Evolving Standards: By staying ahead of the curve, you ensure your email practices align with the increasingly stringent requirements of email providers.
The message is clear: email authentication is no longer optional. The recent emphasis from major providers like Microsoft underscores its critical importance in maintaining reliable and secure email communication. By taking the steps to audit and align your DMARC, SPF, and DKIM records, your organization can protect itself, customers, and reputation. Don’t wait until your emails are blocked – act now to secure your email.
Have questions or need help with your HIPAA compliance? Schedule a call with our experts today. https://www.totalhipaa.com/get-started/
To check your DMARC Records go here
https://www.totalhipaa.com/dmarc-lookup-free/
All records, a free and easy tool to use
https://easydmarc.com/

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)