DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
This article discusses when an employer may obtain an employee's PHI under the HIPAA Privacy Rule.
Does HIPAA Apply to Employers?
It is a common misconception that the Health Insurance Portability and Accountability Act (HIPAA) applies to employee health information held by the employee's employer. The fog of misconceptions got thicker when the COVID-19 pandemic hit - many employers believed (incorrectly) that HIPAA prohibited them from asking their employees if the employees had contracted COVID-19, or from asking the employees about their vaccination status.
Why Does HIPAA Generally Not Apply to Employers?
HIPAA applies only to “covered entities,” which are defined as: (1) health plans; (2) healthcare clearinghouses; and (3) healthcare providers that electronically transmit certain health information. HIPAA also applies to business associates of these entities.
Your local hardware store, your local stationery store - these entities are not covered entities. They are not healthcare providers or healthcare plans. Nor are they business associates - they do not create, maintain, receive, and/or transmit PHI for or on behalf of a covered entity. These and similar establishments that are not involved the business of healthcare are not regulated by HIPAA. This means that even if these establishments store employee health information, they are not under a HIPAA obligation to protect its privacy and security (other laws may require the employer to protect the information).
Say that an employer - your local general practitioner - IS a covered entity. Does HIPAA protect the confidential health information of this employer's employees? Not if this information is held in employment records held by the covered entity in its role as an employer. Employee health information maintained by a covered entity employer in employment records, such as disciplinary files, workers' compensation files, or Family and Medical Leave Acf files, is not protected by HIPAA. Such information is excluded from the definition of PHI.
What About Employers Who Sponsor Group Health Plans for Their Employees?
Some employers sponsor group health plans for their employees. Are these employers covered entities under HIPAA? Generally not. The group health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. Generally, neither employers nor other group health plan sponsors are defined as covered entities under HIPAA. The group health plan is a covered entity, though. As such, the Privacy Rule controls the conditions under which the group health plan can share protected health information with the employer or plan sponsor, when that information is necessary for the plan sponsor to perform certain administrative functions on behalf of the group health plan.
So when DOES HIPAA apply to employers?
HIPAA generally applies to uses and disclosures of PHI made by a provider, in response to an employer's request for that PHI. If an employer asks the provider of an employee to submit, say, the employee's COVID-19 vaccination record to the employer, the employee, as the provider's patient, must first give the provider written authorization to do so.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article