Please ensure Javascript is enabled for purposes of website accessibility
Home / News / Demystifying HIPAA's Privacy Requirements

Demystifying HIPAA's Privacy Requirements

There has been a deluge of literature on the medical privacy rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which generally became effective April 14, but few articles have focused on its impact on employers.

Myths and misinformation abound regarding the impact of the privacy rule on employers, notably the widespread belief that employers need not worry about HIPAA because the privacy rule and the regulations hereunder do not specifically apply to employers.

This article is intended to highlight some of the areas where an employer may encounter protected health information in its capacity as an employer; it does not describe the privacy rule requirements applicable to a group health plan.

Background

The privacy rule is a byproduct of HIPAA’s administrative simplification provisions, which were designed to facilitate greater efficiency of the U.S. health care system by requiring that certain transactions be performed electronically.

As more transactions are carried out through electronic means, sensitive health information once maintained in hard copy in limited locations can now be accessed by innumerable prying eyes. The privacy rule is intended to safeguard such information, while permitting its reasonable uses and disclosures.

The Department of Health and Human Services issued final regulations on the privacy rule on Aug. 14, 2002; it does not describe the privacy rule requirements applicable to a group health plan.

A group health plan is rarely an independent entity and, therefore, generally acts through its plan sponsor (i.e., the employer). Careful analysis is required to determine the impact of the privacy rule on an employer in its capacity as plan sponsor, as distinguished from how the privacy rule may affect the same employer acting in its capacity as employer.

Who Is Covered?

The privacy rule applies to “covered entities,” which include health plans, health care clearinghouses and certain health care providers.

While employers are not covered entities, they likely will encounter the requirements of the privacy rule in connection with employment-related matters such as administration of leaves of absence and workers’ compensation matters.

What Is The Privacy Rule?

The privacy rule, simply stated, maintains that protected health information cannot be used or disclosed by a covered entity (e.g., a health care provider or health plan) without a patient’s authorization unless the use or disclosure is otherwise permitted by the regulations.

Uses and disclosures permitted by the regulations include uses or disclosures for treatment, payment and health care operations purposes, as well as certain specified public interest purposes (e.g., as required by other applicable law, pursuant to judicial or administrative proceedings, for law enforcement purposes, for public health reasons or for workers’ compensation purposes).

What Is Protected Health Information?

Protected health information (PHI) is any individually identifiable information (i.e., any electronic, oral or paper communication that includes data with unique characteristics attributable to a specific person, such as a name, Social Security or driver’s license number, fingerprint or genetic link) that:

* is created or received by a health care provider, health plan, employer or health care clearinghouse;

* relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual;

* either identifies an individual or creates a reasonable basis to believe the information can be used to identify an individual.

PHI And Personnel Administration

Although employers are not “covered entities,” they will encounter PHI, and may even require use and disclosure of PHI, for employment-related purposes that may include: (1) compliance with the Americans with Disabilities Act (ADA) or similar state law; (2) administration of legally mandated leaves of absence or employer leave-of-absence policies; (3) drug and alcohol testing; (4) employee advocacy; and (5) workers’ compensation.

The employer’s legitimate need for PHI is not, in and of itself, a permitted use or disclosure pursuant to the privacy rule. Unless another permitted use or disclosure found in the regulations applies, a covered entity may not disclose PHI to the employer unless the employee provides a valid authorization for such disclosure.

The following examples illustrate situations where the employer’s personnel administration is likely to be affected by the privacy rule.

ADA Compliance And Reasonable Accommodation

Many employers use questionnaires to solicit information from an employee’s health care provider in order to determine the existence of a qualifying disability and/or to evaluate an employee’s ability to perform the essential functions of his job with or without reasonable accommodation. Employers may also require, in some instances, examination of an employee by a physician of the employer’s choice.

Although such questionnaires and examination requests usually take the form of a request for a description of work restrictions (rather than a request for disclosure of a specific diagnosis, prognosis, treatment or other information about the employee’s condition), such information falls within the broad definition of PHI.

Therefore, disclosure of PHI by a health care provider or a group health plan to the employer for ADA and state law accommodation purposes will require employee authorization.

Protected Leaves Of Absence/Employer Policies

The privacy rule affects an employer’s ability to gather information concerning an employee’s entitlement to leave and reinstatement under the FMLA, state family and medical leave laws, pregnancy disability leave laws and other employer leave-of-absence policies.

Typically, the employer will need such information for medical certification of the need for leave, for any additional certifications during the leave, and for fitness for duty certification at the end of the leave.

This information is PHI and, therefore, may be disclosed to the employer by a covered entity only pursuant to an authorization.

Drug And Alcohol Testing

Drug and alcohol test results are PHI. Such results may be disclosed to the employer only pursuant to an authorization or if another exception to the privacy rule applies.

However, an employee may be required to authorize the disclosure of such information to the employer as a condition of employment where the employee’s job requires the employee to submit to drug and alcohol testing (e.g., pursuant to Department of Transportation requirements or other applicable regulatory authority).

Employer Advocacy

Employers often field questions regarding group health plan benefits, advocate on behalf of their employees in benefit disputes and appeals, and generally assist employees with benefit matters.

It is not uncommon for an employee to seek assistance from a representative of the employer’s human resources department with a copy of an “explanation of benefits” statement in hand.

The information the employee is sharing is PHI, and in order to interact in a meaningful way with the health care provider or group health plan on behalf of the employee, the human resources representative likely will need to receive PHI from the provider or plan.

There is some question as to whether advocacy activities fall within the “treatment, payment or health care operations” exceptions to the privacy rule authorization requirement.

As a result, many group health plans and health care providers are requiring authorization whenever an employer requests information or otherwise intervenes on behalf of an employee.

Workers’ Compensation

Pursuant to an exception in the privacy rule, employee authorization is not required for use or disclosure of PHI in connection with the administration of a workers’ compensation claim.

Trap For The Unwary: Flexible Spending Accounts

Many employers are fully insured for all of their group health plans and receive no PHI in connection with them. These employers who sponsor fully insured plans and who receive no PHI from such plans are generally exempt from HIPAA’s cumbersome group health plan compliance requirements.

However, many of these employers also maintain a flexible spending account plan (FSA), which is often one component of a “cafeteria” or “Section 125” plan and which is typically administered by the employer or by a third party administrator or vendor.

Beware that FSAs are considered group health plans within the meaning of the privacy rule, and all of HIPAA’s requirements apply to them and to the plan sponsor (i.e., the employer) who maintains them.

Accordingly, third party administrators and vendors are asking their employer clients to sign “privacy” or “business associate” agreements, which define and restrict the use of PHI.

The PHI an employer receives in connection with administration of an FSA (e.g., through human resources personnel who are processing claims or through claims reports the employer receives from its administrator) may not be used for employment purposes without authorization.

A Word About Authorizations

Most of the employment-related disclosures discussed above may not be made without an authorization. An employee may be required to execute an authorization if the employer needs to receive PHI in order to fulfill legitimate personnel objectives.

For example, as discussed above, an employee may be required to submit to drug and alcohol testing in accordance with applicable law or regulations. If the employee refuses to execute the authorization necessary for his health care provider or group health plan to disclose drug and alcohol testing results to the employer, then the employer may refuse to continue to employ the employee in a safety-sensitive position.

An authorization must include the following elements:

* a specific and meaningful description of the information to be used or disclosed;

* the name or other specific identification of the person(s) or class of persons authorized to make the authorization;

* the name or other specific identification of the person(s) or class of persons to whom the covered entity is to make the disclosure;

* an expiration date or event that relates to the individual or the purpose of the use or disclosure;

* statement of the individual’s right to revoke the authorization in writing;

* a statement about the exceptions to the right to revoke;

* a description of how the individual may revoke the authorization;

* a statement that information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer be protected by the privacy rule;

* the signature of the individual and date of signature; and

* if the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual.

A general or blanket authorization will not suffice for HIPAA purposes.

Some Good News

While HIPAA provides for potentially significant civil and criminal penalties for violations of the privacy rule, it does not create a private right of action for individuals who believe they have been harmed by privacy rule violations.

Employers should be mindful, however, that evidence of a privacy rule violation can be used to support lawsuits under other applicable privacy or discrimination laws.

Conclusion

Although employers are not covered entities subject to the privacy rule, employers need to be aware of how they come into contact with PHI and what they do with the PHI they receive.

This article has discussed some of the more common ways in which an employer may find itself dealing with PHI; it has not, however, discussed many other important aspects of HIPAA compliance, including the relationship between covered entities and their business associates, obligations to safeguard PHI, the rights of individuals regarding their PHI and the so-called “minimum necessary” rule regarding the amount of information that may be properly disclosed under certain circumstances.

Ronald Cooke is of counsel and Natascha George is an associate in the employee benefits practice group at Bingham McCutchen.