How much do you know about your employees’ medical history? And how safe is the information?

These are two important questions for every employer to answer. To understand how laws about health information privacy can impact employers, let’s review what HIPAA is and how it works.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was originally intended to ensure that workers could keep their health insurance when they moved from one job to another. The law also allows workers to enroll in another group health plan—without discrimination—if they lose coverage due to a job change or other life event.

HIPAA has two parts which can impact an employer:

  1. Privacy Rule: The Privacy Rule protects the confidentiality of an individual’s health information and how it may be shared. This Rule is important to medical providers, insurance companies, and anyone else who has access to an individual’s Protected Health Information (PHI). HIPAA states that minimal information necessary to do the job should be accessed. For example, a doctor can see all the information, but a billing clerk can only know a lab test was done, not the results.
  2. Security Rule: Designed to protect electronic Protected Health Information (ePHI), the Security Rule is a strict set of national standards that cover both technical and non-technical ways of maintaining confidentiality. The standards are flexible, so that they can be adapted to the resources and size of organization.

For employers, this means extremely limited access to employees’ health information. There can be no risk of discovering anything that could lead to real, or perceived, discrimination. Even something as simple as sending out an email that says “Jane Doe is on medical leave” instead of “Jane Doe is on leave” can be a violation, even though an employer is not directly regulated by HIPAA.

Employers are expected to do a few things to comply with the Security Rule, including checking the company computer system to identify and remove any ePHI, and to appoint a Security Officer (often the same person as the Privacy Officer).

What is PHI?

Protected Health Information (PHI) is the “individually identifiable health information” that can connect a person to their medical records. Because information can be easily electronically shared between doctors, dentists, other services, and insurance companies, HIPAA’s goal is to eliminate unnecessary transmission of PHI, to protect the individual. PHI includes:

  • Demographic data (name, address, phone, email, birth date, Social Security Number, etc.)
  • Any information about an individual’s medical or mental history and treatment
  • Information about payment and reimbursement for services and treatment

Who is responsible for maintaining the Privacy and Security Rules?

The U.S. Department of Health & Human Services (HHS) oversees HIPAA, but the burden of responsibility is split three ways among what are called “covered entities.”:

  1. Health Care Providers: Anyone who transmits health information electronically
  2. Health Plans: The insurance plans that cover and pay for medical care
  3. Health Care Clearinghouses: Companies that use PHI for claims and billing

HIPAA has strict rules regarding training for all employees who have access to PHI. In conjunction with this, it is important to reiterate that not all employees of a covered entity should have access to medical records. For example, only certain employees at a health insurer can legally access your information and you can not grant them your personal permission to access those records. There are also hefty fines for violating the Privacy Rule.

So where do employers fit in?

While employers are not regulated by HIPAA, they are covered because they are sponsors of most of the health care plans in the nation. Most large employers use what are called self-insured health plans, which mean they are in control of what is covered and paid for on the insurance plan and contract out the management of the plan to the traditional health insurance company. The goal of HHS is to make sure that employers do not have access to PHI or ePHI and use it to discriminate against any employee. Therefore, tight guidelines direct how employee health information can be passed from the health care plan to the plan sponsor, the employer.

How do Group Plans comply with HIPAA?

Most employers have group plans have very few issues with HIPAA compliance. If a plan has fifty or more employees enrolled, the HIPAA Privacy Rule is automatically in place. It applies to the plan, but not the employer. However, an employer should limit how much medical information is used for workplace issues. The group plan can disclose:

  • Names of employees who are enrolled or have disenrolled.
  • A “summary information” report with general data to use for evaluating coverage, changing benefits, and comparing premium bids. The report has no personnel identifiers, but provides information on claims and expenses.

HIPAA considers these to be normal business functions. Because there is no PHI or other sensitive information, the employer is able to proceed without breaking any HIPAA Privacy regulations. The less the employer knows about medical information, the better.

What about employers who are self-insured or “self-funded”?

Self-insured plans, including health care FSAs, receive PHI. It’s different for employers who handle their own health care benefits, using Section 105 Reimbursement Plans. HHS presumes that these employers have direct access to health care information about the employees. Often, a company employee may have responsibility for processing claims and can learn everything about an individual’s medical and mental status. HHS calls this a “hybrid entity” and requires the portion of the company that deals with PHI to establish data and information “firewalls” to protect employee confidentiality and physical safeguards are necessary to protect PHI. Privacy policies must be in place and a Privacy Officer appointed. Training must be provided and documented.

What’s the verdict on Workplace Wellness Programs and the HIPAA Privacy Rule?

It depends. If a Wellness Program is part of the group health plan, all individual PHI is covered under the Privacy Rule; the group health plan is responsible for protecting the PHI. General information can be shared for planning and making the most of a wellness program. HHS states, “For example, some employers may offer certain incentives or rewards related to group health plan benefits, such as reductions in premiums or cost-sharing amounts, in exchange for participation in a wellness program.”

If an employer offers a wellness program directly, or in cooperation with an independent wellness program organization, information and test results collected from employees are not covered by HIPAA. (However, other state or Federal laws may cover the situation, so employers should check.) As always, information cannot be used to discriminate and the employer should have access to as little information as possible.

Medical information regarding disability accommodation?

The American with Disabilities Act (ADA) and HIPAA coordinate if certain information is required. When an employee requests accommodation, and the disability is not obvious or known, an employer may ask for documentation, or even to speak with the employee’s physician or providers in order to understand what types of accommodation are needed. Before allowing the employer to contact any provider, the employee should sign a Release of Medical Information form. The employer may only obtain basic information necessary to assist the employee. The employer may not ask about diagnosis or other treatments.

While the HIPAA Privacy Rule is complicated, it is meant to protect everyone from having their medical history shared without cause. It gives patients control over their health information and establishes boundaries about how their information may be used. It is meant to be powerful, not punitive.

As HHS Secretary Tommy Thompson explained when he presented the Privacy Rule: “We have laws in this country to protect the personal information contained in bank, credit card and other financial records. Our citizens must not wait any longer for protection of the most personal of all information -- their health records.”