The Long Arm of HIPAA
Mar 12, 2014
First published in the Hawai‘i Bar Journal (the official publication of the Hawai‘i State Bar Association), March 2014 Edition.
by Terri O’Connell
When attorneys hear the acronym HIPAA, they usually think of medical information generated by doctors, dentists, hospitals, pharmacies, or health insurers1. Generally, they are right. Most health care providers meet the definition of a HIPAA “covered entity” and are therefore subject to HIPAA2. Many attorneys are also familiar with the HIPAA authorization release form used to obtain an individual’s medical records. What attorneys may not know, however, is that an employee welfare benefit plan providing medical coverage is also a covered entity under HIPAA. It is a separate legal entity under HIPAA3, a fact that is confusing but interesting.
Most employers in Hawai‘i offer medical coverage to their employees4. Much of that coverage is through insured medical plans rather than self-insured medical plans5. Large employers that self-insure often use specialized vendors to ensure full compliance with regulations, including HIPAA. In contrast, a smaller employer with several dozen employees may have no idea that its fully insured employee welfare benefit plan probably offering a variety of medical coverage options is subject to HIPAA, because it is a covered entity6. So although the employer itself is not a HIPAA covered entity, it still is affected by HIPAA.
Fortunately, insured employee welfare benefit plans (“Plans”) have limited HIPAA obligations if the Plans follow the regulations restricting the flow of protected health information (“PHI”) between employers and Plans. For example, if Plans limit communications to employers to (a) disclosures of participation, enrollment, or disenrollment information for the administration of the Plans7 and (b) summary health information8 in which the Plans do not receive or create PHI9, then the Plans must only:
• refrain from intimidation/retaliation against individuals exercising privacy rights, including filing complaints10;
• not require individuals to waive privacy rights as a condition to benefit eligibility or enrolling/receiving benefits from a plan11, and
• retain certain documentation12.
If the sharing of PHI goes beyond these example, then more HIPAA obligations apply. For instance, the Plan’s documents must include information regarding the employer’s administrative, physical, and technical safeguards of PHI13. One reason for the additional restrictions is to ensure an employee’s PHI is properly used for benefit purposes and not, for example, for employment-related decisions. Employers are not directly regulated by HIPAA, but the long arm of HIPAA can still reach and impact them.
1 HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (which includes the “Privacy Rule” and the “Security Rule”) as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and regulations adopted thereunder (including omnibus final rule published on January 25, 2013).
2 45 C.F.R. § 160.103 (2013).
3 Id. Also see, U.S. Department of Health & Human Services website at: http://www.hhs.gov/hipaafaq/providers/covered/499.html.
4 Note that, generally, the federal Affordable Care Act requires employers to provide coverage to employees working at least 30 hours a week, whereas the Hawai‘i Prepaid Health Care Act (Hawai‘i Revised Statutes Chapter 393) is at 20 hours a week.
5 See Paul Fronstin, Ph.D., Self-Insured Health Plans: State Variation and Recent Trends by Firm Size, EBRI, November 2012, Vol. 33, No. 11,at p. 7, at http://www.ebri.org/pdf/notespdf/EBRI_Notes_11_Nov-12.Slf-Insrd1.pdf.
6 See supra n. 3.
7 45 C.F.R. § 164.504(f)(1)(iii) (2013).
8 45 C.F.R. § 164.504(a) (2013).
9 45 C.F.R. § 164.520(a)(2)(iii) (2013).
10 45 C.F.R. § 164.530(k)(1) (2013).
12 45 C.F.R. § 164.530(k)(2) (2013).
Also see, U.S. Department of Health & Human Services website at: http://www.hhs.gov/ocr/privacy/hipaa/faq/covered_entities/496.html.
13 45 C.F.R. § 164.314(b) (2013).