A regulatory surprise: the recent deadline for HIPAA privacy compliance caught many employers off guard - Legal Trends

HR Magazine, May, 2003 by Jodi Plavner

April 14, 2003, came and went without some HR professionals noting or even appreciating the legal significance of the date. That's potentially dangerous because, on that day, some employers--perhaps much to their surprise--became liable for ensuring the privacy of their employees' medical information under regulations for the Heath Insurance Portability and Accountability Act (HIPAA).

It is easy to see how employers could mistakenly believe they aren't required to abide by these regulations. After all, the rules apply to entities such as health plans, health care clearinghouses and health care providers that electronically transmit a patient's identifiable protected health information (PHI).

Employers who aren't involved primarily in health care might easily--but mistakenly--conclude that they are not subject to these regulations. In fact, based on the experiences in our law firm, some employers who determined they were not covered by HIPAA's privacy regulations are indeed covered, at least in part, due to their role as plan sponsor and/or plan administrator.

This article focuses on how employers that are neither health care providers nor clearinghouses in the traditional sense still may be obligated to comply with HIPAA due to the benefit plans they sponsor or certain health care services they provide ancillary to their primary purposes.

Note that although the initial April 14 deadline for compliance has passed, employers still have time to avoid penalties for non-compliance if they act quickly and in good faith to get into compliance.

Benefit Plans

Employers are not considered "covered entities" under HIPAA when they act solely in their capacity as employers. However, when acting in the capacity of a "health plan" or "plan sponsor," as defined by HIPAA, those employer functions will be subject to the law's privacy compliance requirements.

While less onerous than for nonhealth care providers, compliance at a modified level is still mandated for many employers that serve as plan sponsors of covered plans--especially if they receive PHI. Covered plans include hospital and medical benefits plans, dental plans, vision plans, health flexible spending accounts and employee assistance plans. Fully insured and self-insured plans are covered to the extent they provide medical care to employees and/or dependents.

There is one exception to the HIPAA privacy rules: Employers that sponsor self-administered group health plans with fewer than 50 participants are not subject to the HIPAA privacy rules.

In addition, plans with fewer than $5 million of "receipts," while not exempted entirely from the rules, have until April 14, 2004, to comply.

Health Care Services

Employers may find themselves covered by HIPAA as a health care provider even if their primary functions are unrelated to health care. For instance, employers that provide counseling, physical assessments, medical devices or equipment, or on-site health centers for their employees may well qualify as health care providers and be--at least partly--covered by the privacy regulations.

It is important to note, however, if an employer fits the definition of a health care provider, it will become subject to HIPAA's privacy regulations only if it transmits PHI in electronic form. But, once an employer sends PHI in even a single electronic transmission, all of its PHI--including non-electronic data--is subject to HIPAA's privacy regulations.

Examples Are Worth A Thousand Words

The preceding information may be difficult to grasp in a vacuum, so here are some examples to help you better understand when employers may, or may not, be subject to HIPAAs privacy rules:

Situation No. 1. A company sponsors a self-insured group health plan for more than 50 of its full-time employees. The employer receives PHI to perform plan administration.

Is the employer required to comply with HIPAA by virtue of the self-insured group health plans it sponsors?

Compliance answer. HIPAA compliance varies depending on the role of the employer in plan administration and the particular plan(s) at issue. If an employer, as a plan sponsor of HIPAA-covered plans, provides health benefits only through an insurance contract with a health insurer/HMO and does not create, maintain or receive PHI in administering the health plan, the employer-as plan sponsor--would be excused from HIPAAs privacy rule requirements.

However, since the employer in this example is the plan sponsor of a self-in-sured plan and receives PHI in connection with the administration of this plan, HIPAA compliance is required. Even if a third party administrator handled all plan administration, various HIPAA obligations still would exist for the employer as plan sponsor of a self-insured plan. For example, the employer, on behalf of the plan, would need to enter into a business associate agreement with the third party administrator confirming that the third party administrator will comply with HIPAA. (The compliance tasks required of employers are discussed later in this article.)