HIPAA is at the forefront of many employers minds. As many are struggling to comply, hopefully some of the following questions and answers from HHS Website will help.
What Is Health Information Privacy
The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.
The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.
Who must comply with HIPAA privacy standards?
As required by Congress in HIPAA, the Privacy Rule covers:
These entities (collectively called “covered entities”) are bound by the privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. See our business associate section and the frequently asked questions about business associates for a more detailed discussion of the covered entities’ responsibilities when they engage others to perform essential functions or services for them.
- Health plans
- Health care clearinghouses
- Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.
I’m an employer that offers a fully insured group health plan for my employees. Is the fully insured group health plan subject to all of the Privacy Rule provisions?
The Privacy Rule recognizes that certain fully insured group health plans may not need to satisfy all of the requirements of the Privacy Rule since these responsibilities will be carried out by the health insurance issuer or HMO with which the group health plan has contracted for coverage of its members. In particular, a fully insured group health plan that does not create or receive protected health information other than summary health information (see definition at 45 CFR 164.504(a) (GPO)) and enrollment or disenrollment information is not required to have or provide a notice of privacy practices. See 45 CFR 164.520(a)(2) (GPO).
Moreover, these group health plans are exempt from most of the administrative responsibilities under the Privacy Rule. See 45 CFR 164.530(k). These health plans are still required, however, to refrain from intimidating or retaliatory acts (45 CFR 164.530(g) (GPO)), and from requiring an individual to waive their privacy rights (45 CFR 164.530(h) (GPO)). The documentation requirements at 45 CFR 164.530(j) apply to these group health plans only to the extent of amendments, if any, made to the plan documents for the sharing of information with the plan sponsor under 45 CFR 164.504(f) (GPO). Additional information about the Privacy Rule, including guidance and technical assistance materials is available through the Department of Health and Human Services Office for Civil Rights Web site.
Must all small health plans comply with the Privacy Rule?
No. Certain plans are specifically excluded from having to comply with the HIPAA Administrative Simplification requirements, including the Privacy Rule. See 45 CFR 160.103 (GPO). An employee welfare benefit plan that has less than 50 participants and is administered by the employer that establishes and maintains the plan is not a HIPAA covered entity. These plans, therefore, are not subject to the Privacy Rule. For additional information regarding compliance with the Privacy Rule, see the Office for Civil Rights Web site.
Are the following types of insurance covered under HIPAA: long/short term disability; workers' compensation; automobile liability that includes coverage for medical payments?
No, the listed types of policies are not health plans. The HIPAA Administrative Simplification regulations specifically exclude from the definition of a “health plan” any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits, which are listed in section 2791(c)(1) of the Public Health Service Act, 42 U.S.C. 300gg-91(c)(1). See 45 CFR 160.103. As described in the statute, excepted benefits are one or more (or any combination thereof) of the following policies, plans or programs:
- Coverage only for accident, or disability income insurance, or any combination thereof.
- Coverage issued as a supplement to liability insurance.
- Liability insurance, including general liability insurance and automobile liability insurance.
- Workers’ compensation or similar insurance.
- Automobile medical payment insurance.
- Credit-only insurance.
- Coverage for on-site medical clinics
- Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits.
What Is Protected Health Information (PHI)?
The Privacy Rule defines PHI as individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, that is transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. For purposes of the Privacy Rule, genetic information is considered to be health information.
For Covered Entities and Business Associates
The HIPAA Rules apply to covered entities and business associates.
Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.
If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. See definitions of “business associate” and “covered entity” at 45 CFR 160.103.