Are You Ready for HIPAA Privacy? Employer Obligations Under the Newly Enacted Privacy Rule
The Employment and Labor Law Alert
December 9, 2002
WHAT IS HIPAA?
The Health Insurance Portability and Accountability Act (“HIPAA”) was signed into law on August 21, 1996 and addresses a variety of issues relating to health insurance and the confidentiality of health information. Employers are no doubt already familiar with the portability provisions of HIPAA, which protects health insurance coverage for workers and their families when they change or lose their jobs and includes rules relating to pre-existing conditions and the portability of health insurance coverage. HIPAA also sets forth “Administrative Simplification” provisions, which require the Department of Health and Human Services to issue regulations establishing national standards for electronic health care transactions and national identifiers for providers, health plans, and employers, while also providing for and protecting the security and privacy of the transmitted information.
WHAT ARE THE DIFFERENT HIPAA REGULATIONS?
Pursuant to the Administrative Simplification provisions of HIPAA, the Department of Health and Human Services has issued three sets of regulations.
- The Standard Transactions Rule: standardizes the exchange of electronic information among health plans, health care clearing houses and health care providers. The compliance deadline for this electronic data interchange (“EDI”, or “the Standard Transactions Rule”) rule was October 16, 2002, or those covered by the rule were permitted to apply for a one-year extension by October 15, 2002.
- The Security Rule: sets forth the obligations of entities to appropriately use information under their control once it has been disclosed to them. Although these security regulations have been proposed, they are not yet in final form and there is no compliance deadline at this time.
- The Privacy Rule: governs the manner in which health information is used and disclosed. The final rule has no been published and the compliance deadline is April 14, 2003.
WHO IS COVERED BY THE PRIVACY REGULATIONS?
The HIPAA privacy regulations apply to “covered entities”, which are defined as: health plans; health care providers; and health care clearinghouses.
WHAT ARE “HYBRID ENTITIES”?
A subgroup of covered entities are “hybrid entities”, which use or disclose PHI for only a part of their business operations. Only those divisions or components of a hybrid entity that meet the definition of a covered entity are required to follow the HIPAA rules. Hybrid entities are required to create “firewalls” between their health care components and other components of their businesses. Transfer of PHI held by the health care component to other components of the hybrid entity is a disclosure subject to the HIPAA privacy regulations.
WHAT IS COVERED BY THE PRIVACY REGULATIONS?
The privacy rules regulate the use and disclosure of protected health information (“PHI”) and grant individuals certain rights with respect to their PHI. As defined in the regulations, PHI is individually identifiable health information that is transmitted or maintained electronically or in any other form. In this regard the privacy regulations place obligations on “covered entity’s” that use or disclose PHI. Generally, covered entities may not use or disclose PHI without the authorization of the individual who is the subject of the information or as disclosure may otherwise be permitted by the regulations.
PHI is defined broadly and includes: name, address, names of relatives, name of employers, birth date, telephone numbers, fax numbers, electronic mail address, Social Security number, medical record plan beneficiary number, Account number, Certificate/License number, any vehicle or other device serial number, web universal resource locator (URL), internal protocol (IP) address, finger or voice print, photographic images, any other unique identifying number characteristic or code.
WHAT ARE AN EMPLOYER’S OBLIGATIONS UNDER HIPAA?
Obligations will vary depending on whether the employer is self-insured or sponsors a Group Health Plan. Further, if the employer is a sponsor of a Group Health Plan, its obligations may vary depending on what information is received or obtained from the health plan. On the one hand, if the employer receives only summary information and/or enrollment information, its obligations will be minimal. On the other hand, if the employer actively manages the Group Health Plan, then the employer will have many obligations.
WHAT ARE THE OBLIGATIONS OF A SELF-INSURED EMPLOYER?
An employer with a self-insured plan is a hybrid entity and, as a result, has many obligations. Not only do these employers have to comply with the rules governing use and disclosure, but they must also comply with a litany of administrative requirements, including:
- Designating a privacy official;
- Designating a contact person responsible for receiving complaints;
- Training employees on the policies and procedures;
- Establishing appropriate administrative, technical and physical safeguards to protect the privacy of PHI;
- Providing a process for individuals to make complaints;
- Applying appropriate sanctions against members of its workforce who fail to comply;
- Mitigating harmful effects of violations of polices and procedures;
- Refraining from intimidating or retaliatory acts against individuals who exercise their rights under the Privacy Rule; and
- Establishing policies and procedure to comply with the regulations
ARE EMPLOYERS THAT SPONSOR GROUP HEALTH PLANS COVERED ENTITIES SUBJECT TO THE PRIVACY REGULATIONS?
Generally employers are not covered entities unless they are self-insured. In the Final Rule, and in the Proposed Rule published on March 27, 2002, HHS emphasizes its view that employers are not covered entities.
Similarly, employers with group health plans are not hybrid entities. The Final Rule clarifies that an employer is not a “hybrid entity” simply because it sponsors a group health plan. As noted earlier, a hybrid entity is a covered entity and is required to comply with the provisions of the privacy regulations. But the definition of hybrid entity is very specific: a single legal entity that is a covered entity and that has both covered and non-covered functions. Because an employer and its group health plan are two distinct legal entities, an employer sponsoring a group health plan is not a hybrid entity.
WHAT ABOUT EMPLOYEE HEALTH INFORMATION OBTAINED DURING THE COURSE OF EMPLOYMENT?
In the Final Rule, and in the comments published in connection with the Proposed Rule, there is language that specifically excludes employment records from the definition of “protected health information.” This makes it reasonably clear that records created or received by an employer in its capacity as the employer are not covered by the Privacy Rule. Although HHS declined to define “employment records” in the text of the regulations, it acknowledged in the preamble that such records as fitness-for-duty evaluations, drug screening results, sickness and disability leave requests, and documents needed to comply with the Americans with Disabilities Act, worker’s compensation laws, and the Family and Medical Leave Act may be part of an employee’s employment records maintained by the employer in its capacity as employer and may not be protected under the Privacy Rule.
CAN AN EMPLOYER SPONSOR OBTAIN SUMMARY INFORMATION FROM THE GROUP HEALTH PLAN?
The regulations provide that the Group health plan (or a health insurer or HMO with respect to the group health plan), may disclose summary health information to the plan sponsor if the information is used for one of two purposes: (i) obtaining premium builds for health plans for providing health insurance coverage under the group health plan; or (ii) modifying amending, or terminating the group health plan.
CAN AN EMPLOYER SPONSOR OBTAIN ENROLLMENT INFORMATION FROM THE GROUP HEALTH PLAN?
A group health plan may disclose enrollment Information to the employer sponsoring the health plan. The final rule adds a provision clarifying that a group health plan may, without amending its plan documents (as otherwise required and described in this alert), disclose enrollment and disenrollment information to the plan sponsor. However, enrollment and disenrollment information is still treated as protected health information for all other purposes under the HIPAA privacy regulations.
CAN AN EMPLOYER SPONSOR OBTAIN PHI FROM A GROUP HEALTH PLAN OTHER THAN SUMMARY INFORMATION AND ENROLLMENT INFORMATION?
Yes. But when the plan sponsor obtains PHI from the health plan (other than summary and enrollment information), under the regulations the employer is required to assume a number of obligations. If an employer receives more than summary PHI, then the employer must certify to the group health plan that its plan documents have been revised to incorporate specific provisions set forth in the regulations, including:
- the employer must not use or further disclose the information except as permitted;
- the employer must ensure that any agents to whom it provides PHI received from the health plan agree to the same restrictions (through the use of “business associate” agreements);
- the employer may not use or disclose PHI for employment-related actions or decisions; report any use or disclosure inconsistent with the regulations;
- the employer must make the PHI available to plan participants as provided by the regulations (including providing for participants’ rights to inspect, copy or amend their PHI; and provide participates an accounting of any disclosures of their PHI); and
- make records relating to PHI available for audit to DHHS on request.
DOES AN EMPLOYER HAVE TO MAKE ANY CHANGES TO ITS PLAN DOCUMENTS WHEN A HEALTH PLAN SHARES PHI?
The plan sponsor must establish “adequate” separation between the plan and the plan sponsor. Accordingly, the plan documents must:
- Describe those employees or classes of employees or together persons under the control of the plan sponsor to be given access to the PHI;
- Restrict access to and use by such employees and persons; and
- Provide an effective mechanism for resolving any issue of noncompliance by such employees and persons
PLAN NOW FOR COMPLIANCE
Even if your organization is not a “covered entity” it is likely that there is a significant amount of planning and implementation work to be done in the next several months in order to be compliant with the HIPAA privacy regulations by April 14, 2003. For more information about HIPAA compliance contact Bruce A. Levy at the Health Law Department at Gibbons, Del Deo, Dolan, Griffinger & Vecchione, P.C.