EMPLOYER'S GUIDE TO HIPAA PRIVACY REGULATIONS

Contents

1. What is HIPAA?
2. What do the HIPAA Privacy Regulations address?
3. Who is covered by HIPAA Privacy Regulations?
4. What is the timeline for compliance?
5. What are the basic obligations under the Privacy Regulations?
6. What typical employer activities might implicate HIPPA Privacy Regulations?
7. What employer activities do not trigger HIPAA coverage?
8. How does an employer’s involvement with its health plan alter its HIPPA obligations?
9. What are an employer’s obligations as a plan sponsor which receives PHI?
10. What are consents and authorizations?
11. What are the penalties for non-compliance?
12. Appendix I - Definitions
13. Appendix II - HIPAA's Administrative Requirements
14. Appendix III - Sample HIPAA Authorization Form
15. Footnotes

This outline addresses when HIPAA Privacy Regualations comes into play for an employer. For most employers, HIPAA obligations should be minimal unless actively involved in managing or overseeing a group health plan.

1. What is HIPAA?

Health Insurance Portability and Accountability Act, which was passed by Congress in 1996. Most employers are familiar with the HIPAA’s rules governing the portability of health insurance when changing employers.

Under HIPAA, the federal Department of Health and Human Services was also directed to draft Privacy Regulations governing use of medical information by group health plans.

2. What do the HIPAA Privacy Regulations address?

1. HIPAA Privacy Regulations place restrictions on the availability and use of “protected health information” or “PHI” that employers may be accustomed to receiving and imposes civil and criminal penalties for violating the regulations.

2. Protected health information or PHI is generally any individually identifiable health information that is transmitted or maintained by electronic or other media that relates to an individual’s past, present or future physical or mental health, treatment, payment for services or health care operations.

3. Who is covered by HIPAA Privacy Regulations?

1. “Covered Entities” directly regulated by HIPAA Privacy Regulations are:

   1. Health plans

   2. Health care clearinghouses (such as billing services or health care management organizations)

   3. Health care providers that transmit health information in electronic form in connection with a transaction covered by the regulations.
      
      Best practice tip:
      Most commentators assume that all contacts with health care providers are covered although that may be an overbroad reading of the regulations. It is best to assume that the health care provider will consider all its operations covered and require a HIPPA authorization before releasing information.
      
      Exclusions:
      
      Group health plans with fewer than 50 employees.

2. When are employers covered?

   1. Employers are subject to specific and extensive regulatory burdens if they obtain and use protected health information to administer their own health plan or are involved in making or reviewing benefit decisions.

   2. Other employers will be indirectly affected in that they can obtain protected information from a covered entity only by a written authorization.
      
      Best practice tip:
      Employers should consider to what extent they need and want to obtain protected health information or “PHI” from a covered entity. The burdens from HIPAA are minimal if PHI is not routinely obtained as part of the ongoing administration or oversight of a covered health plan.

4 What is the timeline for compliance?

The implementation deadline is April 14, 2003, except for “small group plans” which have until April 14, 2004.¹

5. What are the basic obligations under the Privacy Regulations?

1. Covered entities may use protected health information or “PHI” without express authorization for treatment, payment and health care operations, including for plan purposes such as enrollment, eligibility determinations, claims determination, claims payment, pre-certification, and reviewing status of payment.

2. Covered entities may not use or disclose PHI except and only to the extent authorized by the person who is the subject of the PHI or as explicitly required or authorized by the Privacy Regulations.

3. Even where use or disclosure of PHI is allowed under the Privacy Regulations, only the “minimum necessary” information required to accomplish the treatment, payment or health care operations can be used or disclosed.

6. What typical employer activities might implicate HIPPA Privacy Regulations?

1. General rule: Authorizations are required to obtain and use PHI from a covered entity for purposes other than treatment, payment or health care operations. For example, authorizations would be required to obtain information for litigation, or for employment-related purposes such as return-to-work evaluation from the group health plan or a covered health care provider.

2. Examples where authorization is needed to perform functions within the employer’s organization:

   1. Drug treatment: Where an employer obtains information about drug utilization from its group health plan or covered health care provider and uses that information to suspend employee and order them to obtain substance abuse treatment before returning to work.

   2. Internal use of benefit claims files:

      1. Supervisor calls the employer’s benefits office to learn how long an employee is expected to remain in the hospital;

      2. HR staff uses medical records from the benefits files to process an application for accommodation under the ADA;

      3. Employer’s legal counsel uses benefit claim file information to compare to workers’ compensation filing to see if the two are consistent;

      4. Union representatives call the employer’s group health plan to obtain information to assist in filing a grievance;

   3. Disabilities accommodation issue: Employee requests accommodation under the ADA, and employer needs updated medical information from employee’s physician regarding what restrictions apply.²

   4. Family and Medical Leave (FMLA, OFLA or Washington leave law):

      1. Employee requests leave under the FMLA due to a serious health condition, and employer requires a medical certification directly from the physician.³

      2. Employer or employer’s physician contacts the employee’s physician to discuss or clarify return-to-work certification.⁴

   5. Return to work authorizations or light or modified duty.
      
      An employer should obtain an authorization if it wants to confer directly with a physician regarding work restrictions.

   6. Pre-employment physical examinations from a covered health care provider.

   7. OSHA monitoring programs conducted by a party that is a covered entity.
      
      Best Practice Tip:
      Even when authorization is provided, the party disclosing must limit the information disclosed to that which minimally meets the requirements of the party receiving the information.
      
      If an employee requests ADA accommodation or FMLA leave and refuses to provide a requested authorization, they may be putting their eligibility for that benefit in jeopardy. HIPAA Privacy Regulations do not create right to refuse to cooperate in legitimate request for informaiton.

7. What employer activities do not trigger HIPAA coverage?

1. Authorizations not required:

   1. If the information is obtained directly from the employee or other sources unrelated to the group health plan or covered provider, authorizations are not required.
      
      For example, when an employee calls in sick, the employer is free to discuss the illness without an authorization.
      
      Best practice tip:
      It is still advisable to keep any medical information you obtain confidential and share it only with those with a need to know.

2. Worker compensation administration
   
   With regard to workers’ compensation, the Privacy Regulations allow a health care provider to disclose PHI to an employer when the following conditions are met:

   1. the disclosure is for the purpose of evaluating whether the individual has a work-related injury or illness;

   2. the disclosed PHI consists of findings regarding a work-related illness or injury;

   3. the employer needs the findings in order to comply with workers’ compensation laws; and

   4. the health care provider provides written notice to the individual that such PHI is disclosed to employers by posting notice (this can be completed by posting a prominent notice at the location if the health care is provided in the employer’s work site.)
      
      45 C.F.R. § 164.512. Thus, PHI necessary in order to comply with workers’ compensation laws can be disclosed, and a determination as to the extent of PHI necessary will turn on an analysis of state laws concerning workers’ compensation. In order to obtain more information than is required to be disclosed under state law, the employer would have to obtain a valid authorization from the employee.

3. On-site medical services
   
   Not covered unless a group health plan is electronically billed for the services rendered or private health information is electronically transferrerd.

4. Short- and Long-Term Disability Plans

   1. Disability plans are not covered entities.

   2. HIPAA regulations do not control.

   3. May be affected if the plan administrator seeks PHI from a covered entity
      
      Best practice tip:
      Employers should not turn to the group health plan to obtain evidence of disability on behalf of the employee unless the employee has provided a valid authorization.

5. Employer activities not related to the group health plan that do not involve HIPAA:

   1. enrolling employees in plan

   2. sending rosters of enrolled employees to plan

   3. disenrolling employees in a plan
      
      Note: Under the Privacy Regulations, such information is considered protected health information and in the hands of the health plan and others covered by the regulation.

6. A plan sponsor (i.e., employer) can receive from its group health plan “summary health information” for the purpose of bidding out insurance premiums or in order to modify, amend, or terminate the group health plan.⁵
   
   Summary health information is individual health information in a format that summarizes the claims history of individuals and from which specific identifying information has been deleted.

8. How does an employer’s involvement with its health plan alter its HIPPA obligations?

HIPAA’s impact will depend on the nature of the employer’s health plan coverage, ranging from fully-insured to self-insured or self-administered.

1. The fully-insured employer: The Privacy Regulations do not regulate employers with fully-insured health plans, which are not involved in making or reviewing benefit decisions and do not routinely receive protected health information.

2. The self-insured employer

   1. Third party administrator: The Privacy Regulations do not regulate employers with self-insured plans, but which use a third party to administer the plan, do not make or review benefit decisions and do not routinely receive protected health information.

   2. Employers who become active in the decision-making process in the administration of the self-insured plan, or employers who operate or control the provision of health coverage will have extensive obligations as the Plan Sponsor (disclosed below).

9. What are an employer’s obligations as a plan sponsor which receives PHI?

1. Beyond the narrow exception for summary information for bidding purposes, in order to disclose PHI to the Plan Sponsor Employer, a group health plan must obtain assurances from the Plan Sponsor that its applicable plan documents restrict use and disclosure of such information as detailed below.⁶ This is where the more onerous privacy requirements discussed below begin to kick in.

   • If employers do not receive PHI, they do not have to do all the things detailed in the following paragraphs.⁷

   • An employer, whether fully-insured or self-insured, that elects to receive PHI will have to make extensive changes to plan documents and restrict use and disclosure of the protected information. This is referred to as the “504(f) election.”

2. If employers decide that they need to receive PHI from the group health plan (a covered entity), there are several preliminary steps the health plan must take in order to disclose PHI. The plan documents must be amended to:

   1. Incorporate provisions to establish the permissible and required uses and disclosures that the plan sponsor may make; and

   2. Provide that the group health plan will only disclose information to the plan sponsor upon receipt of the plan sponsor’s certification that the plan documents have been amended and that the plan sponsor agrees to:

      1. Use and disclose PHI only to the extent permitted or required by the plan documents;

      2. Ensure that any of its agents who view PHI agree to the same conditions and restrictions that govern the plan sponsor’s use and disclosure of information;

      3. Refrain from using or disclosing the information for employment-related purposes;

      4. Report any unauthorized use or disclosure of which it becomes aware;

      5. Allow individuals access to their PHI as required;

      6. Allow amendments to PHI as required by HIPAA;

      7. Otherwise comply with HIPAA with regard to accountings of disclosures, making records available to the Secretary;

      8. To the extent feasible, return or destroy all PHI received from the group health plan which is no longer needed; and

      9. Ensure that an adequate “fire wall” as required by the Regulations is in place, describing which employees have access to the PHI, restricting access to such individuals and for such use as is necessary for plan administration functions, and providing methods by which noncompliance can be resolved.⁸

      10. Satisfy the administrative requirements described in Appendix II below.

10. What are consents and authorizations?

HIPAA makes a distinction between a consent and an authorization

1. Consents
   
   Consent is usually a short, general statement obtained at the time an individual receives treatment from a health care provider, or that is obtained at the time of enrollment in a health plan. Consent enables the health care provider to use and disclose the patient’s PHI for treatment, payment, and health care operations purposes. A consent must follow standards and specifications set forth under the rule.⁹

   1. Health care plans and providers may want to obtain consents as a routine matter in order to comply with state laws.
      
      A health care plan may require a consent signed as a condition of enrollment.

   2. If a consent form is offered at the time of enrollment in a health plan, and the enrollee refuses to sign it, the health plan can refuse to admit the employee.¹⁰

      • If an employee refuses to sign a consent to permit a health plan to use PHI for plan administration purposes, then the health plan may not use the information. This bar applies whether the refusal to sign was intentional or inadvertent.

      • Generally, employers will NOT need consents unless the employer maintains a health facility and provides treatment.

      • Consents must be written in plain language and contain terms specified in the regulations.

2. Authorizations permit release of specific health information to designated parties for specific purposes:

   • Employers will need to use authorizations on a regular basis.

   • Authorizations must be written in plain language and contain the following terms:

     1. A specific description of the information to be used or disclosed;

     2. The name or other identification of the person/entity authorized to make the requested use or disclosure;

     3. The name or other identification of the person/entity to whom the covered entity may make the requested use or disclosure;

     4. A date (or description of an event) upon which the authorization will expire;

     5. A statement of the individual’s right to revoke the authorization in writing, and any exceptions to that right to revoke, along with instructions regarding how to revoke;

     6.  A statement that information disclosed pursuant to the authorization may be subject to disclosure by the recipient and might lose its protected status; and

     7. The authorizing individual’s signature and the date.

     45 C.F.R. § 164.508(c). Additionally, if the authorization is signed by an individual’s personal representative, the authorization must describe the personal representative’s authority to act for the individual. Id.

11. What are the penalties for non-compliance?

1. HIPAA imposes civil and criminal penalties for failing to comply with the Privacy Regulations. Penalties begin at $100 per violation, up to a maximum of $25,000.

2. Criminal penalties apply for a deliberate offense, as in intent to sell the information, ranging from $50,000 and one year in prison up to $250,000 and ten years.

3. HIPAA makes employers liable for violations of their business associates if the employer is aware of the wrongdoing.¹¹

APPENDIX I
Definitions¹²

Health Care Clearinghouse - a “public or private entity, including a billing service, repricing company, community health management information system or community health information system, and ‘value-added’ networks and switches, that either” processes or facilitates the processing of health information from a non-standard billing format into a standard format, or vice versa.

Health Care Provider - a “provider of services, a provider of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.” Examples would be physicians and hospitals.

Health Plan - an “individual or group plan that provides, or pays the cost of medical care.” Examples would be: a group health plan, a health insurance issuer, an HMO, the Medicaid program, an employee welfare benefit plan “or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers.”

Health Insurance Issuer - “[A]n insurance company, insurance service, or insurance organization that is licensed to engage in the business of insurance in a state and is subject to state law that regulates insurance.” “Groups health plans” are not included in this definition.

Plan Sponsor - as defined at section 3(16)(B) of ERISA, 29 U.S.C. 1002(16)(B): “(i) the employer in the case of an employee benefit plan established or maintained by a single employer, (ii) the employee organization in the case of a plan established or maintained by an employee organization, or (iii) in the case of a plan established or maintained by two or more employers or jointly by one or more employers and one or more employee organizations, the association, committee, joint board of trustees, or other similar group of representatives of the parties who establish or maintain the plan.”

Business Associate - A person other than an employee in the covered entity’s workforce, or an entity that assists a covered entity by performing or assisting in the performance of (1) a function or activity involving the use or disclosure of individually identifiable health information (e.g. claims processing, data analysis, quality assurance, billing, benefit management); or (2) a function or activity regulated by HIPAA. Examples are third-party administrators, preferred provider organizations, payroll service vendors, attorneys, systems vendors.

Health Information - Any information, regardless of whether it is oral or recorded in any manner, that:

“is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”

Individually Identifiable Health Information - “Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”

Protected Health Information - “[I]ndividually identifiable health information” that is transmitted or maintained by or in electronic media or any other media.

Summary Health Information - Information that may be individually identifiable health information but which summarizes the claims history of an individual for whom a plan sponsor has provided health benefits under a group health plan, and from which specific, identifying information has been deleted. Information can be summarized statistically or redacted, whereby all information that could link the PHI to an individual has been removed. Employers can use this summary health information to analyze benefit use, negotiate new or changes in coverage, or evaluate various cost alternatives without obtaining authorizations.

APPENDIX II
HIPAA’s Administrative Requirements

1. The Privacy Regulations require that covered entities provide individuals with a “Notice of Privacy Practices.”¹³ This Notice would go to individuals whose PHI might be used or disclosed by the covered entity, and would provide them with notice of the uses and disclosures of PHI that the covered entity might make, and of the individuals’ rights with respect to the PHI.

2. The Notice must contain the following language prominently: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.” Additionally, the Notice must describe:

   1. the group health plan’s uses and disclosures of PHI (providing at least one example of such use or disclosure);

   2. the individual’s privacy rights with respect to the PHI;

   3. the covered entity’s legal duties with respect to the PHI;

   4. the individual’s rights to file a complaint with the Plan or with HHS; and

   5. contact information in order to obtain further information concerning the plan’s privacy practices.¹⁴

3. The above list is a highly simplified representation of the actual content requirements for the notice. This document must meet several specific requirements, and should be carefully drafted.

4. Health plans must provide the required Notice no later than the compliance date. Additionally, the health plan must give the Notice to any new enrollees at the time of their enrollment. Finally, no less often than every three years, the plan must inform any individuals then covered by the plan of the availability of the Notice and how to obtain a copy.¹⁵ Compliance with the Notice requirement must be documented and the documentation must be maintained as required.

5. A fully-insured group health plan that receives only summary health information or information about participation or enrollment in the plan is not required to provide this notice.¹⁶ A fully-insured group health plan that does create or receive PHI in addition to summary health information must (1) maintain a Section 520 notice and (2) provide the notice to any person upon request.

6. In addition to the Notice of Privacy Practices, HIPAA requires that covered entities do the following to implement HIPAA’s policies:

   1. Designate a privacy official (and document that designation) responsible for the development and implementation of the entity’s privacy policies and procedures;

   2. Designate a contact person (and document that designation) to receive complaints about HIPAA procedures/violations and who can provide further information about HIPAA;

   3. Train all employees on policies and procedures regarding PHI, so that the employees can adequately perform their jobs with the covered entity;

   4. Implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI;

   5. Adopt a complaint process for individuals to complain about the entity’s HIPAA policies and procedures or failure to comply with HIPAA;

   6. Implement and apply “appropriate sanctions” against its employees who fail to comply with HIPAA or the entity’s HIPAA policies and procedures;

   7. Mitigate, to the extent practicable, any harmful effects known to the covered entity resulting from an unauthorized use or disclosure of PHI;

   8. Refrain from intimidating, threatening, discriminating against, or retaliating against any individual for exercising HIPAA rights or filing a complaint or testifying about failures to comply with HIPAA; and

   9. Implement policies and procedures concerning handling PHI and designed to comply with HIPAA’s mandates.¹⁷

   10. Make HIPAA compliance a contractual condition for all “Business Associates” such as attorneys, accountants, consultants or actuaries.¹⁸

Appendix III
SAMPLE
HIPAA AUTHORIZATION FORM

I authorize the specified person(s) to disclose protected health information as follows:


1. Person authorized to make disclosure:

[name of health care provider, insurer, etc.]

2. Person authorized to received the disclosed information:

[name of your company]

3. Specific description of the protected health information that may be used or disclosed:


4. This authorization shall expire on the following date or event:

[specify date or event]

5. I understand that the information received pursuant to this authorization may be disclosed
    by the recipient and might lose its protected status.

6. I understand that I may revoke this authorization at any time by giving written notice to

[specify how authorization can be revoked]

Signature                                                                                     Date

Name:

Name of personal
representative
(if applicable):

Description of
personal representative’s
authority:

Footnotes:

¹ Small group plans are defined as “a health plan with annual receipts of $5million or less” 45 C.F.R. § 164.534.

² Example from the EEOC Technical Assistance Manual, §36.

³ Employer may request medical certification from health care provider. 29 CFR 825.305. Information requested should be limited to that necessary to verify the leave request.

⁴ 29 CFR 825.310.

⁵ 45 C.F.R. § 164.504(f).

⁶ Id.

⁷ Programs like flexible spending accounts or § 125 plans can be considered Group Health Plans under HIPAA. Administration of these plans may well require receipt of PHI, and the plan sponsor would then have to amend the plan documents as detailed below.

⁸ 45 C.F.R. § 164.504(f).

⁹ 45 CFR 164.506

¹⁰ 45 CFR 506(b)(2).

¹¹ SSA § 1177.

¹² See 45 C.F.R. § 160.103.

¹³ 45 C.F.R. § 164.520.

¹⁴ 45 C.F.R. § 164.520(b).

¹⁵ 45 C.F.R. § 164.520(c).

¹⁶ 45 C.F.R. § 164.520.

¹⁷ 45 CFR § 164.530.

¹⁸ Id.

Disclaimer: The materials available on this web site are for informational purposes only. Nothing on this site should be construed as legal advice or opinion. It is important that you consult an experienced attorney concerning your particular factual situation. Do not rely solely on the information provided on this web site.

Use and Disclaimer