Employers and their HR departments accumulate a lot of information about employees, much of which is sensitive and personal. This can and often does include records and material about an employee’s health and medical history. Most workers and their companies are generally aware of employment laws that protect and limit the disclosure of private health information, primarily the Health Insurance Portability and Accountability Act (HIPAA). But many employers have mistaken impressions about how HIPAA applies to their maintenance, use, and disclosure of health information. While companies don’t have carte blanche to treat such records as they see fit, HIPAA’s restrictions and obligations likely don’t apply to them.
Most Employers Are Not “Covered Entities” Under HIPAA
After HIPAA became law in 1996, the U.S. Department of Health and Human Services (HHS) issued a set of national standards governing the use and disclosure of individuals’ protected health information (PHI). But the Standards for Privacy of Individually Identifiable Health Information, commonly known as the Privacy Rule, only applies to “covered entities” as defined in HHS regulations.
“Covered entities” that must comply with HIPAA are:
- Individual and group health plans.
- Health care clearinghouses (entities that process nonstandard information they receive from another entity).
- Any doctor or other health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (as a practical matter, almost every health care provider).
The Privacy Rule also applies to “business associates” of a covered entity, primarily vendors who provide a covered entity with business services that involve the handling of PHI.
If your company does not fall into any of those categories, congratulations; you don’t need to worry about HIPAA. Even if your company is a “covered entity,” HIPAA still does not apply to any employee health information in your possession that is contained “in employment records held by a covered entity in its role as an employer.”
Even though your company is likely not a covered entity that must comply with HIPAA, it is likely that you have a relationship with one. Your company’s group health insurance provider is absolutely bound by the Privacy Rule, which means that it cannot disclose or share with you any employee’s PHI without the employee’s written consent.
Although your health plan and your company are separate legal entities, it can be difficult and nuanced to define a clear line between the plan and the company representative who administers the plan. Because the company is responsible for administering the plan, the administrator will come in contact with PHI. It is important to look at the hat that the administrator is wearing when dealing with employee PHI — is he or she engaged in work as an employee of the company or as the plan administrator for the group health plan? Drawing this line is critical to HIPAA obligations and compliance.
HIPAA Isn’t the Only Law Governing Employee Health Information
Importantly, HIPAA is not the only law that addresses what employers can or must do with regard to employee health information. Other federal laws, including the Americans with Disabilities Act and the Family and Medical Leave Act, along with state laws such as the Michigan Medical Records Access Act, impose limitations on an employer’s access to, use and disclosure of protected health information.
Speak With a Michigan Employment Law Attorney
If you have questions or concerns about your company’s obligations under HIPAA or employee health information generally, the employment law attorneys at Kreis Enderle can provide you with sound, straightforward counsel to guide your decision-making.