Other Bulletins

April 2002
Health Law Newsletter

Employers: Will HIPAA Affect You?
by Elizabeth H Sillin, Esq.

Most people have heard about the Health Insurance Portability and Accountability Act of 1996, or "HIPAA," by now. The HIPAA regulations and recent proposed revisions concerning medical privacy have received a lot of press. Many employers have concluded that, because the regulations do not explicitly apply to them, they do not need to be concerned about them. They may be right. But they’re probably not. Read on for a short lesson on how HIPAA may affect employers.

HIPAA: The Basics

The HIPAA privacy regulations issued by the federal Department of Health and Human Services directly regulate uses and disclosures of health information created by or used by certain health care providers and health plans, referred to under the regulations as "covered entities." Health care providers who transmit health information electronically with regard to certain transactions are covered entities. Covered health plans include virtually all health plans, insured or self insured, including group health plans covered under the Employee Retirement Income Security Act of 1974 ("ERISA"). Apparently, limited supplemental plans such as dental or vision plans, as well as flexible spending accounts, are also covered. ERISA excludes, and thus HIPAA excludes from coverage, small health plans with fewer than fifty participants that are self-administered.

The fundamental premise of HIPAA is that individually identifiable health information created by or received from a covered entity becomes "protected health information." Once the information is protected, it may only be used by the covered entity for the purposes of patient treatment, payment of health care costs, and for health care operations. If the protected health information will be used by the covered entity for almost any other purpose than treatment, payment or health care operations, the patient must specifically authorize that use. If the protected health information is disclosed by the covered entity, in most cases there will have to be a contract between the covered entity and the person or entity receiving the protected health information to ensure that the receiver will abide by the privacy regulations.

Employers and Health Plans

Many employers will be affected by HIPAA by virtue of their relationship with the health plans they offer. For example, if an employer self-insures a health plan, the employer is covered under HIPAA. If an employer has an employee acting as the health plan administrator, the employer is covered under HIPAA. If an employer acting as the plan sponsor has a need for, or comes in contact with, a person’s private health information in connection with the administration of the health plan, HIPAA will affect the employer.

Consider the role of the employer as the sponsor of a health plan. Plan sponsors may perform certain functions that require the use of protected health information in the management of the employer’s health benefits program. The privacy rules are intended to prevent the information from being used for employment-related functions or functions related to other employee benefit plans or other benefits provided by the plan sponsor. Under the rules, a plan sponsor must agree to use and disclose protected health information received from the health plan only for plan administrative functions which must be specified in the plan documents. Therefore, plan documents will have to be amended to:

1. describe the permitted uses of the protected health information,
2. verify that the plan sponsor has agreed to limit the use of the information, and
3. provide adequate firewalls between employees with access to the information and other employees. HIPAA does allow a health plan to release to the plan sponsor "summary health information."

Employers that self-insure or administer their group health plan will have further compliance obligations, including the designation of a privacy officials, development of procedures for handling protected information, and the maintenance of training, compliance and documentation processes.

Employers and Health Care Providers

Another example of a situation in which HIPAA may affect the employment arena is a pre-employment physical. If the physical is being performed by a physician, other than an employee physician, it is likely that the physician will be covered by HIPAA. Therefore, the individually identifiable health information collected by the doctor at the physical will be "protected health information." The employer wants the information, but because the use is not for treatment, payment or health care operations, the physician will have to obtain the patient’s express authorization to release it. The employer may only use the information for the purposes expressly stated in the authorization.

Other employment-related practices that may be affected include disease management and wellness programs, occupational health issues, and on-site medical clinics.

Determine whether HIPAA applies

Employers should determine whether and how HIPAA’s regulations apply to them. The compliance date for most covered entities is April 14, 2003.

If you would like additional information or assistance to help your health care practice or business meet its HIPAA compliance legal obligations, please contact Kelly A. McCarthy, Esq., Coordinator of the BR&G Health Law Practice Group, at (413) 272-6306, or Elizabeth H. Sillin, Esq., a member of the Group, at (413)272-6296.

Elizabeth H. Sillin is an associate at Bulkley, Richardson and Gelinas, LLP practicing in the Health Law Practice Group, as well as in the Estate Planning and Administration and Real Estate Departments. The final privacy and proposed security HIPAA regulations with proposed revisions are available at the U.S. Department of Health and Human Services website.