Employer Health Benefit Plans Subject To HIPAA Privacy Rules

With all kinds of personal data increasingly being stored and transmitted electronically, people increasingly fear that more and more information about their personal lives is accessible to more and more people. These breaches of privacy can range from an analysis of our spending patterns for marketing purposes all the way to the most destructive use of personal information – the theft of our identity.

Perhaps no threat to privacy is of greater concern to Americans than the improper use of personal health information. A 1999 survey by the California HealthCare Foundation found that more than half of all Americans believe that computerization of medical data increases privacy threats.

Indeed, as the House Committee on Government Reform has reported, “[W]ith increasing computerization of medical records and integration of activities within the health care system, individuals’ health information can be transmitted more rapidly to a wider range of recipients.”

People are concerned that employers will use medical information to make employment decisions about who to hire, fire, or promote. There is also a growing concern that apprehension over privacy will have a chilling effect on employee’s willingness to request a leave, seek a workplace accommodation or to access certain services, especially mental health services, covered by their employer-sponsored health plan.

In response to these fears, Congress in 1996 authorized the Secretary of Health and Human Services to create comprehensive national privacy regulations as part of the Health Insurance Portability and Accountability Act (“HIPAA”). The HIPAA medical privacy regulation applies to health care providers that bill electronically, to health data clearinghouses, and to health plans, including employer-sponsored health plans, both insured and self-funded.

Employer-Sponsored Health Plans

The rule imposes a variety of legal obligations on employer-sponsored plans, including the obligation to provide employees with a privacy notice, appointment of a privacy officer and the application of detailed privacy policies.

For companies that offer health insurance and other health benefits only through an outside insurer, little or no protected health information is handled by the employer, and there is little risk that employers will be privy to sensitive information that can be (mis)used for employment purposes. HIPAA allows insured health plans to delegate almost all privacy functions to their health insurers.

Self-funded health benefit plans, in which employers bear the full cost of health expenses, pose more difficult privacy challenges. It is estimated that some 43 million Americans participate in such self-insured plans, which are typically offered by the largest corporations. Some large employers manage significant aspects of their self-funded plans themselves.

However, employers that directly administer their health benefit plans “in house” also take on direct responsibility for assuring the privacy and security of their employees’ personal health information.

As a rule, the more plan functions that are administered internally by the company, the more stringent the restrictions and the requirements for protecting the confidentiality of health information. Claims processing, benefits appeals, purchasing stop-loss insurance, claims auditing, and case management all require the use of private, personal data.

Outsourcing such functions limits the circumstance where, as one medical school professor summarized the concern, “[I]t’s Helen in personnel who’s looking at all the forms, and knows whether you’re seeing a psychiatrist, you just had your tubes tied, or you’ve just been diagnosed with cancer.”

If a company insists on keeping many or all of these health insurance functions in-house, then it should carefully segregate employment records from personal medical information. Executives making personnel decisions must be denied access to health insurance records and employee assistance program records.

Companies that store, maintain or transmit health information in electronic form must maintain access and audit controls to protect the security of their employees’ health information. These rules apply not only to health insurance claims information, but also to employee-funded medical care spending accounts, as well. The days when an employee’s pharmacy reimbursement receipts could be kept in the same filing cabinet as her performance reviews are long gone.

Ironically, some companies expose themselves to risk by trying to help their employees too much. Many human resource departments provide benefits advocates or assist employees in making claims or challenging claim denials.

In providing this type of assistance, companies can become privy to a substantial amount of an employee’s personal history, enhancing the risk that information security will be breached. If the employee is later terminated, he or she could allege that the reason for termination was the employer’s desire to avoid paying additional health expenses. This warning is applicable to all types of employee health benefits and assistance programs where sensitive information may be transferred.

Health insurance is one of the most important benefits an employer can offer. Poor privacy and security practices, however, can expose employers to significant legal risks.

David Szabo is partner at the Boston law firm of Nutter McClennen & Fish, LLP where he co-chairs the health care group. He may be reached at [email protected]. Maria Buckley is of counsel to Nutter and was formerly senior counsel at Blue Cross Blue Shield of Massachusetts. She can be reached at [email protected].