DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses whether HIPAA applies to employee health information maintaned by an employer.
Does HIPAA Apply to Employers?
HIPAA applies to “covered entities,” which are defined as: (1) health plans; (2) healthcare clearinghouses; and (3) healthcare providers that electronically transmit certain health information. HIPAA also applies to business associates of these entities.
Hardware stores, local stationery stores, car repair shops - these entities are not covered entities. They are not healthcare providers or healthcare plans or clearinghouses. Nor are they business associates - they do not create, maintain, receive, and/or transmit PHI for or on behalf of a covered entity. These and similar establishments that are not covered entities or business associates are not regulated by HIPAA. This means that even if these establishments store employee health information, they are not under a HIPAA obligation to protect its privacy and security (other laws may require the employer to protect the information, though).
What if the Employer is a Covered Entity?
Say that an employer - a general practitioner - IS a covered entity. Does HIPAA protect the confidential health information of this employer's employees? Not if this information is held in employment records held by the covered entity in its role as an employer. Employee health information maintained by a covered entity employer in employment records, such as disciplinary files, workers' compensation files, or Family and Medical Leave Act files, is not protected by HIPAA. Why? Because such information is excluded from the definition of PHI.
What About Employers Who Sponsor Group Health Plans for Their Employees?
Some employers sponsor group health plans for their employees.
A "group health plan" is one type of health plan and is a covered entity (except for self-administered plans with fewer than 50 participants). The group health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. Neither employers nor other group health plan sponsors are defined as covered entities under HIPAA.
Therefore, the Privacy Rule does not directly regulate employers or other plan sponsors that are not HIPAA covered entities. However, the Privacy Rule does control the conditions under which the group health plan can share protected health information with the employer or plan sponsor when the information is necessary for the plan sponsor to perform certain administrative functions on behalf of the group health plan. See 45 CFR 164.504(f). Among these conditions is receipt of a certification from the employer or plan sponsor that the health information will be protected as prescribed by the rule and will not be used for employment-related actions.
The covered group health plan must comply with Privacy Rule requirements, though these requirements will be limited when the group health plan is fully insured. Click here for additional details.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article