HIPAA regulations contain strict privacy and data security rules for individual health information. Considering the costs and resources required for HIPAA compliance — not to mention the high cost of HIPAA violations — it’s normal for enterprises to get nervous about this framework. This guide explains whether HIPAA applies to employers and provides helpful recommendations for approaching employee privacy.
Which Companies Does HIPAA Apply To?
The purpose of HIPAA laws is to protect patient data and give individuals certain rights to their health data. HIPAA regulations place limits on what healthcare organizations can share, how much, and with whom they can share it. For this reason, HIPAA mainly applies to the healthcare and health insurance industries.
There are two main categories of businesses that are subject to HIPAA requirements: covered entities and business associates. According to 45 CFR 160.103, covered entities are:
- Healthcare providers, such as hospitals, clinics, pharmacies, nursing homes, and doctors
- Healthcare clearinghouses (e.g., transcription service providers)
- Health plans, such as HMOs and health insurance companies
Business associates are companies that create, receive, maintain, or transmit PHI for covered entities. In other words, they process patient data on behalf of healthcare companies and insurers. Examples include cloud-storage providers, IT companies, and third-party benefits management services. Business associates have to follow the same HIPAA privacy and security rules as covered entities.
If you’re wondering whether HIPAA applies as an employer, your first step should be to determine if your company qualifies as a covered entity or business associate.
Does HIPAA Apply To Employers?
In most cases, HIPAA doesn’t apply to employers. There are a few exceptions, but unless your company is a covered entity or a business associate, your HIPAA obligations are usually minimal or non-existent.
Industries Where HIPAA Doesn’t Normally Apply
Organizations that aren’t covered entities or business associates don’t generally need to worry about HIPAA regulations. Neither do companies that work with hospitals, but don’t come into contact with PHI. For example:
- Construction companies
- Banks and lenders
- Pharmaceutical manufacturers
- Insurance companies that don’t provide health insurance
- Staffing agencies
- Wearable technology manufacturers
On the other hand, businesses that offer IT and network security services to hospitals may need to follow HIPAA. It comes down to whether your systems or personnel have access to sensitive patient data.
Even in this situation, though, you would only need to follow HIPAA rules for the PHI you handle, not the employees who work for you.
The Purpose of the Information
A second factor to consider is that HIPAA only covers health information when it is used for healthcare purposes. Some examples of covered transactions include:
- Payment requests from healthcare providers
- Treatment eligibility questions
- Patient referral requests
- Benefits or coverage requests from healthcare providers or insurers
Employment-related health questions aren’t considered HIPAA-covered transactions. For example, if your HR department asks about allergies or physical qualifications, that isn’t PHI. Also, HIPAA doesn’t apply to employment records.
Of course, you still need to follow state and federal employment laws. These may prohibit asking certain questions related to disabilities or past injuries.
The Employer Role Exception
Even covered entities and business associates don’t necessarily need to follow HIPAA rules when it comes to employees. For example, hospitals don’t normally have any HIPAA obligations for workers:
- Janitorial staff
- Medical personnel
- Administrative workers
- Employees in the billing department
- Independent contractors
- Kitchen workers
Put simply, HIPAA applies to patient information, not worker data.
First, the HIPAA definition of individually identifiable health information only applies to information created by a covered entity or business associate. It doesn’t include records that happen to reference information related to employee health, such as how many sick days a person has taken or performance evaluations.
Second, under 45 CFR 160.103, the definition of PHI specifically excludes individually identifiable health information “in employment records held by a covered entity in its role as employer.” Even healthcare organizations are normally exempt from HIPAA for tasks related to their employees, such as HR scheduling and employee oversight responsibilities.
Workers’ Compensation
HR staff may need to help employees apply for workers’ compensation coverage. Even though this process comes into contact with health-related information for workers’ comp insurance, HIPAA doesn’t apply to requesting, viewing, storing, or processing the necessary information.
State and federal workers’ comp laws take precedence. Of course, HIPAA does affect how much information healthcare providers can share with you.
How Does HIPAA Apply To Employers?
HIPAA only applies to certain employers in very specific situations. Follow this list step by step to find out if your organization is included.
Covered Entities That Provide Patient Services to Employees
It’s not uncommon for employees of dental clinics, hospitals, and medical clinics to also be patients in the same facility. Some healthcare companies include wellness services as employment perks.
In the role of healthcare provider (or insurer), HIPAA-covered entities must treat an employee’s PHI like any other patient’s data. In other words, information in the person’s electronic health records can’t be accessed for business purposes without consent.
Employers That Offer Self-Insured or Group Health Plans
Employer-sponsored health plans are considered covered entities in HIPAA. They include partially or fully-insured group health plans. These health plans must comply with HIPAA privacy and security requirements.
It’s important to note that HIPAA views the health plan as a separate business entity. Only the health plan is required to meet HIPAA standards, such as cybersecurity protections and privacy policies. The costs of these programs impact your organization, of course.
There are some exceptions to when and how HIPAA applies to employers. Plans with fewer than 50 enrolled participants are exempt. Also, fully insured plans can skip most of the security rule requirements, as long as the sensitive data they process is limited to basic enrollment info or summary health records (e.g., claims history).
Other Privacy Laws
A growing number of states are creating privacy protections for workers and individuals. In California, businesses must adhere to CCPA standards to manage employee data, including telling employees how they use data and gather it.
Does HIPAA Apply To Your Business?
HIPAA mainly applies to employers that offer group health plans. Even covered entities are exempt from HIPAA rules when it comes to employment records and workers’ comp. Still, there are benefits to implementing robust cybersecurity and clear privacy policies. Learn more about HIPAA compliance best practices and benefits today.
