Employers handle their employees’ medical information for many reasons, from administering health coverage to receiving workers’ compensation claims. Under certain circumstances, employers are dealing with protected health information and may be subject to the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA is a federal law that governs health coverage portability and health information privacy. It applies to health plans, health care clearinghouses and health care providers. In some cases, this may include employers.
HIPAA complaints can result in investigations, and violations can result in hefty fines. To avoid these issues, employers need to avoid common HIPAA mistakes.
Mistake Number One: Not Knowing Whether HIPAA Applies
Although employees often obtain health coverage through their employer, the employer is not typically considered a covered entity under HIPAA. However, there are some important exceptions, as HIPAA indirectly regulates health plan sponsors. The extent of an employer’s obligations under the HIPAA Privacy and Security Rules generally depends on whether the employer has access to PHI for plan administration purposes. Therefore, an employer-sponsored group health plan is frequently considered a covered entity under HIPAA, even if fully-insured.
Likewise, certain wellness programs can be subject to HIPAA. According to the U.S. Department of Health & Human Services, whether a wellness program is subject to HIPAA depends on how it's structured. If the program is part of a group health plan, the individually identifiable health information collected or created is protected under HIPAA.
Even some apps used in employee wellness programs could fall under the domain of HIPAA. In an interview with Employee Benefit News, Stefano Quintini, a partner in the technology transfers practice of Fenwick & West LLP, warns that apps offered in conjunction with health insurers or health care providers could be subject to HIPAA.
Mistake Number Two: Not Understanding the Role of Business Associates
HIPAA regulations apply to covered entities and their business associates. Business associates could include any party that performs work for a covered entity that requires the disclosure of protected health information. Examples of business associates can include CPAs, attorneys, transcriptionists, consultants, pharmacy benefits managers and third-party administrators. HIPAA generally requires that a covered entity receive satisfactory compliance assurances from the business associate in the form of a written contract called a Business Associate Agreement.
These contracts must include specific elements related to HIPAA. In 2017, the Center for Children’s Digestive Health paid $31,000 to settle a violation for not having a business associate agreement with a company that stored records.
Mistake Number Three: Failing to Prevent Security Risks
Under the HIPAA Breach Notification Rule, covered entities and business associates are required to provide notification of breaches involving protected health information. Additionally, organizations may be fined after a breach if it is determined that they had inadequate risk analysis and risk management processes. Fresenius Medical Care North America paid a $3.5 million settlement after experiencing multiple breaches.
Organizations may also be held responsible for failing to prevent theft and other crimes involving protected health information, whether the employees are the victims or perpetrators. CardioNet paid a $2.5 million settlement after an employee’s laptop containing protected health information was stolen from a vehicle. Walgreens had to pay $1.4 million after an employee shared prescription records with a patient’s ex-boyfriend.
Mistake Number Four: Forgetting About Other Regulations
In addition to HIPAA, employers also need to follow other laws, including the Genetic Information Nondiscrimination Act (GINA), the Americans with Disabilities Act (ADA), the Employee Retirement Income Security Act (ERISA) and the Consolidated Omnibus Budget Reconciliation Act (COBRA). Individual states may also have laws that include additional requirements or apply to more entities.