Does HIPAA Apply to Employers?

by

HIPAA applies to employers only when the employer operates as a HIPAA Covered Entity or a Business Associate, or when the employer sponsors a group health plan that is a HIPAA Covered Entity.

When An Employer Is A HIPAA Covered Entity

An employer is subject to HIPAA when it sponsors a group health plan that meets the definition of a health plan under HIPAA. In that context, HIPAA regulates the group health plan’s use and disclosure of protected health information and the safeguards applied to that information.

A separate employer function, such as human resources, is not automatically regulated by HIPAA. HIPAA obligations attach to the covered component, such as the group health plan, and to workforce members acting on behalf of that covered component.

Employment Records And HIPAA

HIPAA does not regulate employment records held by an employer in its capacity as an employer. Workplace records such as leave documentation, fitness for duty documents, and workers’ compensation administrative records are typically managed under employment and labor law frameworks rather than HIPAA, unless the information is received or maintained by the employer on behalf of a HIPAA Covered Entity component.

Employer Access To Group Health Plan Information

Employers that sponsor a group health plan may receive certain protected health information from the plan for plan administration functions when HIPAA conditions are met. Plan documents must address permitted disclosures for plan administration and identify the employees or classes of employees who may access protected health information for those functions. The employer must apply safeguards to protect protected health information received for plan administration.

Workplace Clinics And Provider Functions

An employer that operates an onsite clinic can be a HIPAA Covered Entity if the clinic provides healthcare services and conducts standard electronic transactions. In that setting, the clinic’s patient information is protected health information subject to the HIPAA Privacy Rule and HIPAA Security Rule, and it must be segregated from employment records and employment decision making workflows.

Workforce Training

All workforce members must receive HIPAA training when they are part of a HIPAA Covered Entity workforce or perform functions for a covered component. Annual HIPAA training is industry best practice. Training on HIPAA rules and regulations provides a foundation for workforce understanding before instruction on internal policies and procedures.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA