The Health Insurance Portability and Accountability Act (HIPAA) imposes requirements to protect and help consumers maintain both their health insurance and their privacy. Some of the main provisions include:
- The ability to transfer health insurance when switching jobs;
- Restrictions on limitations of health insurance due to preexisting conditions;
- The implementation of standards for electronic billing and related transaction processing;
- Establishment of regulations around pretax medical savings accounts; and
- The maintenance, security, and privacy of all confidential personal information about the policyholder and all others on the policy, including regulations on when such information can be disclosed. This is the main provision that most people are referring to when discussing “HIPAA compliance.”
Who Is Subject to HIPAA Regulations?
One of the first questions to better understand HIPAA is to understand who must comply with these regulations. Those who must comply are referred to as “covered entities.” There are three types of covered entities within HIPAA:
- Health Care Provider. This includes any healthcare provider that may transmit any type of covered information in electronic form. Examples of covered healthcare providers include most doctors, hospitals, pharmacies, dentists, optometrists, clinics, etc. It also includes related entities (business associates) who process healthcare information on their behalf.
- Health Plan. Any health insurance provider (or someone who is administering such) would also be subject to these regulations. This includes HMOs and Medicare, for example.
- Health Care Clearinghouse. This last covered entity includes any groups or individuals who process health information received from another entity, such as any group that creates electronic health records for a medical provider. This might be a healthcare billing service or even an online portal provider of health information for a specific healthcare group.
How Are Employers Affected by HIPAA Regulations?
Most employers are indirectly impacted by HIPAA, and some are directly impacted.
The most common way employers are affected is through dealing with a covered entity. Employers will often be restricted in the type of information they can receive from a covered entity due to privacy guidelines in HIPAA. For example, when requesting health information about an employee due to a request from the employee to take a leave of absence as permitted under the Family and Medical Leave Act (FMLA), the employee’s healthcare provider will be subject to HIPAA regulations. This will limit the information that can be provided by them.
Another example for employers is the processing of workers’ compensation claims. By their very nature, these types of claims will include medical information, but the disclosure of such information is likewise limited by HIPAA. Generally speaking, the healthcare provider or related entity will be able to disclose only what is legally required under your state’s workers’ compensation laws.
Employers are also directly impacted by HIPAA regulations if they become a “covered entity.” Employers are not deemed to be a covered entity by default within the regulations but may become one when performing acts that fall under the covered entity definition, such as:
- Acting on behalf of a covered entity by electronically processing billing for a health insurance plan (thus becoming a business associate);
- Self-insuring for medical care (thus acting as a health plan provider); or
- Providing on-site medical services (thus acting as a healthcare provider).
In this context, an employer that is deemed to be a covered entity will have a heightened obligation to maintain the privacy of health-related data or face stiff civil and criminal penalties for violations.
*This article does not constitute legal advice. Always consult legal counsel with specific questions.
About Bridget Miller:
Bridget Miller is a business consultant with a specialized MBA in International Economics and Management, which provides a unique perspective on business challenges. She’s been working in the corporate world for over 15 years, with experience across multiple diverse departments including HR, sales, marketing, IT, commercial development, and training.