Wiggin
๏ƒ‰
Find a Person
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z View All

Publications

Home 9 Publication 9 New HIPAA Requirements – Impact on Employers and Health Plans

New HIPAA Requirements – Impact on Employers and Health Plans

June 27, 2003

3


Federal privacy regulations issued in 2000 under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require sweeping changes in the way the health care system manages health information. Health care providers, health care clearinghouses and health plans (known as “covered entities”) are directly governed by these requirements, and the government regulators who wrote the HIPAA rules emphasize that they do not have statutory authority to regulate employers. However, depending on the structure of your health plan and your employment-related needs for health information, the regulations can significantly affect your operations. Understanding who is covered by the HIPAA regulations and what information is included in their reach can help you sort through the HIPAA morass.

The HIPAA Privacy Rule and Employer-Sponsored Health Plans

The so-called “Administrative Simplification” requirements of HIPAA primarily address three separate components: 1) electronic transactions and code sets; 2) privacy; and 3) security. The privacy component has received the most attention recently, since compliance was required by April 14, 2003 (April 14, 2004 for small health plans). These detailed regulations, known as the “Privacy Rule,” generally regulate how covered entities use and disclose “protected health information” (PHI). PHI is any individually identifiable health information that is transmitted or maintained in any form. As noted above, employers are not covered entities, but the broad definition of “health plan” means that the Privacy Rule will apply to a broad spectrum of employer-sponsored benefit programs, including:

โ€ข Medical benefit plans (insured or self-insured) with 50 or more participants or plans of any size that are administered by an outside vendor;
โ€ข Long term care coverage;
โ€ข Dental plans;
โ€ข Vision plans;
โ€ข Prescription drug plans;
โ€ข Some employee assistance plans or other mental health programs;
โ€ข Medicare Supplement plans;
โ€ข Flexible Spending Accounts/Personal Health Accounts; and
โ€ข Some executive physical programs.

HIPAA and Self-Insured Plans

If your organization offers any of the benefit programs listed above on a partially or fully self-insured basis (meaning some or all benefits are paid out of company assets, rather than by an insurance company), you may need to take a number of steps to ensure that these benefit programs are in compliance, including mailing your “Notice of Privacy Practices” to all participants, executing “business associate agreements” with your vendors, implementing policies to safeguard information and to allow participants to exercise HIPAA-guaranteed “individual rights,” and making HIPAA-required amendments to the plan documents. Small health plans (which have until April 14, 2004 to come into compliance) should begin to address the requirements now, and larger plans may still have some loose ends that need tying.

Although many third-party administrators and other health plan vendors have become very familiar with the Privacy Rule’s requirements, in most cases they are not covered entities in their own right. This means that the compliance obligation (and associated penalties for noncompliance) ultimately fall on the plan sponsor. If you have not yet executed agreements containing the HIPAA-required contractual provisions (known as “business associate agreements”) with these vendors, look to see whether they can take on some of the HIPAA responsibilities on your behalf, such as handling “individual rights” requests.

HIPAA and Fully-Insured Health Plans

If all the benefits your company provides to its employees are fully insured, and if the insurer/HMO does not provide you with any identifiable health information, your health plan HIPAA compliance obligations will be minimal. You must refrain from retaliating against an individual for exercising his or her privacy rights (for instance, if an employee complains to the HIPAA regulators about the HMO’s use of her information), and may not require employees to waive their rights to file complaints as a condition of participating in the health plan. To document your compliance efforts with these provisions, review all enrollment materials to ensure they do not contain hidden waiver provisions, and adopt policies to implement the non-retaliation and non-waiver requirements.

What’s Outside the “HIPAA Box”?

Some forms of insurance and other benefits are excepted from HIPAA’s requirements: life insurance, long- and short-term disability coverage, workers’ compensation programs, accidental death and dismemberment (AD&D), auto insurance, and reinsurance/stop loss coverage are not directly covered by the Privacy Rule (although they may be impacted, as discussed below). A health plan that is a covered entity, however, may not disclose PHI for use by these programs without an individual authorization. For instance, information from the health plan cannot be used to determine a workers’ compensation claim.

The Privacy Rule also contains an important exclusion for “employment records,” such as health information received in connection with sick leave requests, fitness-for-duty examinations, FMLA certifications, requests for ADA accommodations, and other information that your company receives in its capacity as an employer. While this information generally is not subject to HIPAA, you should be aware that other state and federal confidentiality provisions may apply. For instance, the ADA’s confidentiality requirement applies even to information conveyed orally, and many states have laws regarding the confidentiality of personnel and medical files.

Other HIPAA Considerations

If a company needs health information regarding its employees for reasons not related to the health plan, the HIPAA Privacy Rule will also impact how this information is collected. If a health care provider treating an employee is covered by the HIPAA Privacy Rule, he or she will not be able to release any information to the employer without a HIPAA-compliant authorization form. If your policies require that health information be sent directly to the employer (such as drug test results), consider revising any internal release forms to meet the HIPAA requirements for a valid authorization. Note that there are some exceptions. Legally required disclosures such as the drug and alcohol tests for certain commercial drivers mandated by the Department of Transportation will not require employee authorization, and disclosures to the employer that are necessary to comply with workers’ compensation laws are also permitted.

Special rules apply to in-house health care providers such as on-site clinics or occupational health nurses. Generally, if these providers engage in standard electronic transactions (claims for payment, first reports of injury, etc.), they will be covered by the Privacy Rule, which means they must have their own set of policies and procedures, a Notice of Privacy Practices, and are subject to the whole panoply of HIPAA requirements. Such providers can disclose information relating to work-related illnesses or injuries to the employer, if the information is necessary for the employer to comply with its obligations under OSHA or similar laws, and if a notice to that effect is given to employees or posted at the clinic. If your organization contracts with outside medical providers covered by the HIPAA Privacy Rule to provide needed medical information (such as fitness-for-duty examinations), these providers generally can require that the employee sign an authorization form as a condition of providing the care. If any in-house or contracted medical providers are covered by the HIPAA Privacy Rule in their own right, you should ensure that they are aware of HIPAA’s requirements and have implemented a compliance plan.

Conclusion

The HIPAA privacy regulations are lengthy and complex, and many employers are understandably confused about their effect and reach. Although the Privacy Rule does not directly regulate employers, self-insured health plans and other non-insured employer plans providing medical benefits (such as flexible spending plans) have significant compliance obligations. As a practical matter, the privacy requirements may require some changes in your employment policies and administrative practices. Assess the health information that you receive, revise your existing policies and forms if necessary, and contact legal counsel or expert HIPAA consultants for complicated compliance questions.

Resources

Employment Advisory Summer 2003 7-1 revised.PDF

Firm Highlights

News

Recognized for Excellence: Wiggin and Dana Named Law Firm of the Year, Attorney of the Year, and Earns 8 Additional Honors at the 2025 New England Legal Awards

Wiggin and Dana is proud to announce an extraordinary achievement at The American Lawyer’s 2025 New England Legal Awards, where the firm earned 10 top honors and was recognized as a finalist in additional categories. These awards celebrate excellence across the legal profession, and this yearโ€™s results underscore Wiggin and Danaโ€™s commitment to delivering exceptional […]
Read More
News

Wiggin and Dana Celebrates Top Honors in Benchmark Litigationโ€™s 2026 Rankings

Wiggin and Dana is proud to announce that Benchmark Litigation has once again recognized the firmโ€™s excellence in litigation, naming 13 attorneys as โ€œLitigation Starsโ€ and three attorneys as โ€œFuture Starsโ€ in its 2026 edition. The firm also earned Benchmarkโ€™s highest distinction, being ranked as a โ€œHighly Recommendedโ€ firm. Benchmark Litigation praised Wiggin and Dana […]
Read More
News

The National Law Journal Shortlists Wiggin and Dana for Litigation Departments of the Year โ€“ White Collar

Wiggin and Dana is proud to announce that its White Collar Defense, Investigations, and Corporate Compliance Practice Group has been selected by The National Law Journal as a finalist for Litigation Departments of the Year, White Collar. The firmโ€™s White Collar Defense, Investigations, and Corporate Compliance Practice Group includes former federal prosecutors from the U.S. […]
Read More
News

Benchmark Litigation Names Wiggin and Dana Partners to the 2025 โ€œ40 & Under Listโ€

Wiggin and Dana Litigation Partners, Laura Ann K. Froning, Robyn E. Gallagher, and David Norman-Schiff were named to Benchmark Litigationโ€™s 2025 โ€œ40 & Under Listโ€. The Benchmark Litigation team bestows this distinction upon the nationโ€™s most accomplished litigators aged 40 and younger who are considered the top emerging talent in litigation.ย The list is compiled based […]
Read More
News

Wiggin and Dana Expands Real Estate Practice with Addition of Vasiliki Yiannoulis-Riva

Wiggin and Dana LLP is pleased to announce that Vasiliki (Vasi) Yiannoulis-Riva has joined the firm as a Partner in the Real Estate, Environmental, Construction and Facilities Department, based in both the Stamford, CT and New York, NY offices. Vasi brings more than a decade of experience advising clients on commercial real estate transactions, leasing, […]
Read More
News

Chambers High Net Worth 2025 Honors Wiggin and Dana Lawyers and Private Client Services Practice

Wiggin and Dana is pleased to announce that the firmโ€™s Private Client Services practice and its partners, Michael T. Clear,ย Daniel L. Daniels, Jevera K. Hennessey, Leonard Leader, Vanessa L. Maczko, Steven B. Malech, and Carolyn A. Reers, have been ranked in the ninth edition of the annual Chambers High Net Worth (HNW) 2025 Guide. Additionally,ย Jonathan […]
Read More