An Overview of the HIPAA Privacy Regulations
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is a comprehensive health reform act which, for the first time, creates a national standard which gives individuals more control over their personal health information. Among other things, HIPAA regulations facilitate the electronic transmission of patient health, administrative and financial data. HIPAA also was enacted to enable individuals to find out how their medical information may be used. Furthermore, HIPAA establishes security standards designed to protect against the indiscriminate disclosure of an individual’s personal health information.
The basic principle of HIPAA is fairly straightforward: organizations that possess personal information related to an individual’s health care (or payment for health care) cannot disclose it, except in the following limited circumstances: (1) to the individual, pursuant to a signed, dated general consent form, in order to carry out treatment, payment or health care operations; (2) if not for treatment, payment or health care operations, then pursuant to a signed, dated and narrowly crafted authorization; or (3) to the government for purposes of public health, abuse/neglect investigation, fraud prevention, etc.
Without a doubt, one of the most important aspects of HIPAA is the protection of personal health information (PHI). PHI is defined as any information, in any form, created or received by a provider, health plan, insurer or employer, that relates to past, present or future health care or payments. Any such information, which can be personally identified by a person’s name, social security number, employee number or other identifier, is considered PHI and falls under the domain of HIPAA.
Generally, HIPAA regulations apply only to “covered entities”. These include group health plans, health care providers and health care clearinghouses. Specifically not covered under HIPAA regulations are employers. However, this does not mean that an employer should simply disregard HIPAA as there are many instances were an employer will fall within the regulations. For example, an employer, as plan sponsor of a group health plan, must take measures to ensure that the group health plan complies with HIPAA. An employer must also agree to comply with the rules if it helps administer a health plan and ensure that its health plans comply with the rules.
There are also many situations when an employer may receive PHI from a covered entity. Such disclosures are regulated by HIPAA. An employer may receive PHI from a covered entity only for any purpose consistent with an individual’s signed written authorization or to advocate for an employee who has a benefit dispute or other claim with a health plan. Additionally, an employer may receive PHI in order to enroll an employee in a health plan, or to amend or terminate such a plan. An employer may also receive and use PHI to perform health plan administrative functions, but only pursuant to the restrictions in the HIPAA compliance plan governing the covered entity.
On the other hand, there are situations where the employer may request PHI from an employee outside of the domain of HIPAA. Nothing in the HIPAA regulations prohibits employers from conditioning employment on an individual signing the appropriate consent or authorization so that an employer may seek certain PHI. This may include drug test results, fitness-to-work assessments or other tests permitted by state or federal laws. Furthermore, employers may have to request PHI to carry out their obligations under the Family and Medical Leave Act (FMLA) or the Americans with Disabilities Act (ADA). For example, return-to-work exams or FMLA leave reviews which contain PHI. These employment functions are not HIPAA-covered activities.
The Health and Insurance Portability Act places many restrictions on the disclosure and use of an individual’s health and medical information. Such restrictions are meant to further the Act’s goal of keeping “private information private”. But the restrictions were not created to entirely eliminate the disclosure of PHI. There remain various situations were such health and medical information can be disclosed and many of these situations fall within the employer/employee relationship.