CROSS, GUNTER, WITHERSPOON & GALCHUS, P.C.
ATTORNEYS AT LAW LITTLE ROCK/FORT SMITH/FAYETTEVILLE www.cgwg.com Scotty Shively firstname.lastname@example.org 500 President Clinton Avenue, Suite 200 Little Rock, AR 72201 Telephone (501) 371-9999 Fax (501) 371-0035 Mailing Address P.O. Box 3178 Little Rock, AR 72203
AMERICAN BAR ASSOCIATION 2004 ANNUAL MEETING
ATLANTA, TUESDAY, AUGUST 10, 2004
SECTION OF EMPLOYMENT AND LABOR LAW
DO YOU WANT TO KNOW A SECRET: HIPAA AND THE NEW MEDICAL INFORMATION PRIVACY REGULATIONS
HIPAA FOR EMPLOYERS
Presentation by Scotty Shively
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
amended five federal statutes. It provided for portability of health coverage, added
an arsenal of laws to the government for fighting fraud and abuse in public health
plans, and provided for administrative simplification in processing of health care
claims. HIPAA’s administrative simplification provisions were designed to improve
the efficiency and effectiveness of the health care system by facilitating the
electronic exchange of information with respect to financial and administrative
transactions carried out by health plans, health care clearinghouses, and health care
providers who transmit information electronically in connection with these
The Administrative Simplification provision raised a concern about the privacy of an
individual’s health information. The Act promulgated standards and empowered the
Department of Health and Human Services (DHHS) to issue regulations if Congress
had not enacted privacy legislation by August 21, 1999. Congress failed to act by
the deadline and the DHHS issued proposed regulations on November 3, 1999. The
final regulations for the standards for privacy of individual identifiable health
information were issued on December 28, 2000, in the last days of the Clinton
administration. This final rule was the subject of much debate among members of
the health care community and advocates of privacy rights. DHHS published a
modified Final Rule on August 14, 2002. This Privacy Rule deals only with a very
narrow provision in the Administrative Simplification title – Title II – and is only one of 1
? 2004 American Bar Association http://www.bna.com/bnabooks/ababna/annual/2004/shively.doc
five standards which addresses Administrative Simplification. However, the Privacy
Rule is the tail that wags the HIPAA.
The Administration Simplification provisions of HIPAA (Title II) include HIPAA
Privacy Rule, HIPAA Security Rule, and the Transactions and Code Set Standards.
The Privacy Rule requires the adoption of comprehensive privacy policies and
procedures to safeguard protected health information (“PHI”). The Privacy Rule
allows use or disclosure of PHI in the following situations:
? to the person who is the subject of the PHI (45 C.F.R.
? to carry out treatment, payment or health care operations (“TPO”) (45
? pursuant to an allowed exception (45 C.F.R. ?164.502(a)(1)(iii));
? pursuant to a valid authorization (45 C.F.R. ?164.502(a)(1)(iv));
? where the PHI has been de-identified (45 C.F.R. ?164.502(a)(2)).
The Privacy Rule became effective on April 14, 2003 for providers, clearing
houses, and health plans of over $5 Million; it became effective for health plans of $5
Million and under on April 14, 2004.
The Security Rule protects electronic information or information transmitted
electronically. The Security Rule requires Covered Entities to promulgate a risk
management program to evaluate the value of the assets, the potential for a loss or
disclosure, and the cost of additional countermeasures. The Security Rule becomes
effective on April 20, 2005, except for small health plans which have until April 21,
HIPAA Privacy Rules and Security Rules are not identical so using the same
policies and procedures for both will not work. The Privacy Rules are concerned
with “what and why” all health information, electronic and non-electronic, is protected;
the Security Rules deal with “how” election information is protected.
The Transactions and Code Set Standards established standardized
computer formats and medical codes for specified billing and claims administration
transactions. This phase applies to Covered Entities with an effective date of
October 16, 2002 (October 16, 2003 for small health plans).
Purpose of HIPAA Privacy
Prior to passage of HIPAA, there was no comprehensive federal law that
addressed the use and disclosure of patient health care and payment information.
State laws were inconsistent and contradictory, only covered specific types of
records (e.g., HIV/AIDS), or did not exist at all. Many state laws fail to provide such
2 ? 2004 American Bar Association http://www.bna.com/bnabooks/ababna/annual/2004/shively.doc
basic protection as ensuring a patient’s legal right to see a copy of his or her own
medical records. (65 F.R. 82463-464). Factors adding to the concern over
confidentiality of medical information were the growth in the number of companies
providing care and processing claims, growth in use of electronic information
technology (electronic claims processing and access to the internet), and increasing
ability to collect highly sensitive information as a result of advances in scientific
research. (65 F.R. 82463).
Important Dates and Deadlines for Administrative Simplification Provisions
August 21, 1996 HIPAA enacted; contains “Administrative 42 U.S.C. ??1320d-2 et
Simplification” provisions seq. Dec. 28, 2000 Final Privacy Rule published by Clinton 65 F.R. 82462
August 14, 2002 Final Privacy Rule (as modified) 67 F.R. 53182,
45 C.F.R. ? 160, 164 October 16, Compliance deadline for electronic
2002 transactions (unless extended)
Feb. 20, 2003 Final Security Rule published 45 C.F.R. ??160.103,
162.103 April 14, 2003 Final compliance with Privacy Rule for all 45 C.F.R. ? 164.534
covered entities except “small health
April 14, 2004 Final compliance with Privacy Rule for 45 C.F.R. ? 164.534(b)(2)
“small health plans” ($5 Million or less)
July 30, 2004 Employer Identifier Standard – all 67 F.R. 38009
covered entitles except small health plans
- effective date
April 20, 2005 Final compliance with Security Rules 45 CFR ?164.318
(except for small health plans)
August 1, 2005 Employer Identifier Standard for small
April 21, 2006 Final compliance with Security Rule for
small health plans
May 23, 2007 Final compliance re: National Provider 69 F.R. 3434
Identifier for all but small health plans
May 23, 2008 Final compliance re: National Provider
Identifier for small health plans
Who is covered by the Administrative Simplification Standards of HIPAA?
In 45 C.F.R. ?160.103, “Covered Entities” are defined as:
3 ? 2004 American Bar Association http://www.bna.com/bnabooks/ababna/annual/2004/shively.doc
? Group health plans
? Health care clearinghouses
? Health care providers that transmit information in electronic form
? Employers, in their role as employers, are not one of the defined
Employers are indirectly regulated by HIPAA if they are a plan sponsor of ERISA health plans.
HIPAA’S Application To Employers
Employers were one of the first groups to gain awareness of the HIPAA Act
because the Title I portability provisions became effective in 1998. Employers who
offered health insurance to employees concentrated on the provisions relating to
special enrollment periods, certificates of creditable coverage, and other provisions
related to the portability of coverage.
Employers may be directly covered as a provider entity if they have an on-site health clinic or provide on-site healthcare services for which they bill electronically.
However, most employers are indirectly covered because they sponsor employee
health plans that are covered entities. The extent to which employers are impacted
depends upon whether the group health plan is fully-insured or self-insured.
Employers are impacted by HIPAA because they often need protected health information (PHI) about an employee which is maintained by a covered entity.
Finally, employers are impacted because HIPAA has created a heightened sense of
privacy not only for medical records, but for other information pertaining to
employees and other individuals.
HIPAA Basics for Privacy Rule
Covered Entities (defined at 45 C.F.R. ?160.103)
The first step in HIPAA analysis is determining whether an employer is a
covered entity. A covered entity includes health plans, health care clearing houses,
and health care providers who transmit any health information in electronic form. It
is important to note that this electronic transmission condition applies only to health
care providers. Health plans and health care clearing houses are covered
regardless of whether they transmit in electronic form.
A health care provider is defined as a provider of medical or services
described under Medicare Part A or Part B (which encompasses most typical health
care services) or any other person or organization that furnishes, bills, or is paid for
health care in the normal course of business.
4 ? 2004 American Bar Association http://www.bna.com/bnabooks/ababna/annual/2004/shively.doc
A health care clearinghouse is an entity, such as a billing service, repricing
company, or value-added network that either processes the health information
received from another entity into a standard transaction or receives a standard
transaction and processes it into nonstandard data content.
A health care plan is defined as any individual or group that provides or pays
for the cost of medical care. This includes HMOs, Medicare and Medicaid plans,
issuers of health insurance, Medicare supplemental-care policies and long-term care
policies, ERISA employee welfare benefit plans, active military personnel health care
programs, veterans’ health care programs, and others. Specifically excluded from
the definition of health plan, even though they may provide for the payment of
medical care, are Workers’ Compensation plans, casualty and property insurance
plans, and disability insurance programs. An employer health plan with fewer than
50 participants and which is self-administered by the employer is also excluded from
the definition of health plan.
Protected Health Information (PHI) (defined at 45 C.F.R. ? 160.103)
Protected health information (PHI) is individually identifiable information, including demographic information, related to the past, present, or future physical or
mental health or condition, the provision of health care to an individual, or the past,
present, or future payment for such health care, that is created or received by a
covered entity. Individually identifiable information (45 C.F.R. ? 164.514(b)(2)
covers a broad range of identifiers of the individual, his relatives, employer or
household members, including:
? name, address, telephone numbers, and email addresses
? social security number
? account numbers used to identify the patient in medical records, health
? certificate/license numbers, vehicle and device identifiers, serial
? biometric identifiers (finger/voice prints), photographic images
? all elements of dates (except year) including birth date, admission date,
discharge date, date of death, and all ages over 89
Medical information found in employee records is not PHI. There is also an
exception for medical information created pursuant to work place surveillance
obligations which is discussed in more detail later in this presentation.
Employer-Sponsored Health Plan
Although most employers are not covered in their role as an employer, they
may sponsor employee health plans which are covered entities. In addition to
sponsoring a plan, the employer may also be a plan administrator and plan fiduciary
5 ? 2004 American Bar Association http://www.bna.com/bnabooks/ababna/annual/2004/shively.doc
under ERISA. HIPAA recognizes that, under ERISA, a plan and its plan sponsor are
separate legal entities. However, in practical terms it is the plan sponsor, i.e., the
employer, that typically acts on behalf of the plan because the plan has no
employees. Therefore, it will be the employer’s responsibility as the plan sponsor
and fiduciary to ensure the plan’s compliance with the HIPAA regulations. An
employer must examine each benefit it offers (i.e., major medical, dental, optical,
EAP, health reimbursement account, flexible spending account, and specialty
medical policy such as cancer policy) to determine if it meets the HIPAA definition of
a health plan and, if so, examine the employer's responsibilities under HIPAA.
These responsibilities can vary from plan to plan.
Employers offering self-insured health plans will be the most directly affected.
They will be responsible for the plan’s full compliance with HIPAA regulations, even
if they use a TPA for plan administration. Employers offering fully insured plans will
be able to delegate many compliance functions to the insurer but the employer’s
group health plan will retain some responsibilities.
1. Self-Insured Health Plans
In general, a self-insured or self-funded group health plan sponsored by an
employer must comply with all health plan requirements under the Privacy Regulations. There is an exception for self-insured, self-administered plans with
under fifty participants. The following are key provisions which apply to all health
plans, but raise special issues in the context of an employer-sponsored health plan:
a. Notice of Privacy Practices (NPP). The group health plan must have a
notice of privacy practices available for any enrolled participants. The notice be
distributed only to named insured, i.e. employees, but not to dependents. The notice
must state that the health plan, or the health plan’s insurer or HMO may disclose
PHI to the employer, as plan sponsor, for plan administration functions. See
generally, 45 C.F.R. ? 164.520.
NPP must be provided no later than the compliance date for the health plan
(generally April 14, 2004), to new employees at the time of enrollment, and within 60
days of a material revision of the notice to individuals then covered by the plan. At
least every three years the plan must notify covered individuals of the availability of
the NPP and how to obtain the notice. 45 C.F.R. ? 164.520(c)(1).
b. Authorizations. A health plan does not need an individual’s consent or acknowledgment of its notice of privacy practices to use or disclose PHI for
treatment, payment, or health care operations. (45 C.F.R. ? 164.506.) These
activities include claim payment, stop-loss claims, subrogation, evaluating plan
performance, underwriting, auditing, and medical reviews. A number of other
disclosures do not require consent or authorization, including disclosures to comply
with Workers’ Compensation laws. 45 C.F.R. ? 164.510 and .512.
6 ? 2004 American Bar Association http://www.bna.com/bnabooks/ababna/annual/2004/shively.doc
Other uses and disclosures of information by the health plan require a written
authorization from the individual. See 45 C.F.R. ? 164.508. Examples of
uses/disclosures that would require such authorization include any disclosures by
the health plan to the plan sponsor for non-plan purposes or providing names of
individuals covered by the medical plan to a long-term care insurer for marketing
purposes. Employers should conduct an inventory of the plan’s PHI uses and
disclosures to determine which, if any, require such authorization.
c. Request for Access and Amendments; Accounting for Disclosures.
(45 C.F.R. ?? 164.524; 526; and 528.) The health plan must establish a procedure
for handling these requests. If most of the health plan PHI is held by a TPA, the
TPA may perform these functions on behalf of the health plan. If so, these services
should be made an obligation of the TPA under the administrative services contract,
and appropriate policies and procedures should be developed. The ultimate
responsibility for these functions remains with the health plan, however. The notice
of privacy practices should explain whether individuals should contact the TPA or the
employer with these requests.
d. Complaints. (45 C.F.R. ? 164.530(d)) The health plan must establish a procedure to handle privacy complaints from individuals. The notice of privacy
practices should explain whether individuals should contact the TPA or the employer
e. Business Associate Agreements. (45 C.F.R. ? 504(e)) A health plan
will typically outsource some plan administration activities. Any outside entity that
receives PHI from the plan in order to perform functions on behalf of the plan is a
business associate of the health plan. Business associates may include, for
example, TPAs, preferred provider organizations, utilization review companies,
subrogation recovery firms, accounting firms, insurance brokers, consultants, and
outside legal counsel. The plan must have the required business associate
agreements in place with each such business associate. The business associate
agreement provisions may be incorporated in another contract, such as an
administrative services agreement with a TPA.
f. Administrative Requirements. The employer-sponsored health plan is
also subject to the Privacy Regulations’ administrative requirements. See 45 C.F.R.
? 164.530. The plan must:
? Designate a privacy official;
? Document the plan’s privacy policies and procedures;
? Conduct privacy training;
? Establish information security measures;
? Establish a system for reporting noncompliance; and
? Establish and enforce sanctions for policy violations.
7 ? 2004 American Bar Association http://www.bna.com/bnabooks/ababna/annual/2004/shively.doc
In addition, to the requirements applicable to all health plans, the following are
some special provisions that apply only to employer-sponsored health plans:
g. Limited Employer Access to PHI. (45 C.F.R. ? 164.504(f).) Employers
may not access any health plan PHI for non-plan purposes, and especially not for
employment-related purposes. For example, an employer may not reassign an
employee to another job based on information from the health plan that the
employee is being treated for alcoholism. An employer receives personal
information about the employees from a variety of sources, including directly from
the employee. The concern of the Privacy Regulations, however, is information
received from or through the employer’s health plan.
h. Firewalls. Employers must establish a “firewall” between plan-related
uses of PHI and general corporate or employment-related uses of PHI. 45 C.F.R. ?
164.504(f)(2)(iii). Employers who currently have the same individual or group of
individuals handling all benefit plans plus human resource matters should consider
separating these functions. In small organizations where having different staff
members for these functions is not feasible, the employer should, at a minimum,
establish policies and conduct training regarding the confidentiality of PHI and the
need to restrict uses as well as disclosures.
TPAs contacting an employer will need to be careful about the staff members
at the employer’s offices with whom they communicate, so that PHI is communicated only to authorized personnel. Covered entitles and business associates will need to
carefully consider the appropriate avenues of communication.
Employment records are not PHI, even if they contain health information
about an employee. Employment records are not subject to this HIPAA “firewall”
requirement. Employment records may include medical information needed for an
employer to carry out its obligations under the Family and Medical Leave Act,
Americans with Disabilities Act, and similar laws, as well as files or records related to
occupational injury, disability insurance eligibility, sick leave requests and
justifications, drug screening results, workplace medical surveillance, and fitness-for-
duty tests of employees. Although not subject to the HIPAA "firewall," these type
records have always been subject to "firewall" treatment under the Americans with
Disabilities Act and must be kept separate from other personnel records.
i. Plan Document. The health plan’s plan document must be amended to include a number of specific provisions relating to privacy. See 45 C.F.R. ?
164.504(f). No disclosures from the health plan to the employer are permitted until
the plan document is amended. The plan document must identify all permitted and
required uses and disclosures of PHI by the employer for plan administration
purposes. The plan document must state that the employer will not use PHI
8 ? 2004 American Bar Association http://www.bna.com/bnabooks/ababna/annual/2004/shively.doc
received from the plan for employment-related actions or decisions, or in connection
with any of the employer’s other health plans. The plan document must identify
which employees or classes of employees of the plan sponsor, or other persons
under control of the plan sponsor, are to be given access to PHI (e.g., a benefits
clerk, a benefits committee, or claims appeal committee). In addition, the employer
must ensure that there is adequate separation between the employer and the plan to
protect the privacy of plan-held information.
2. Insured Health Plans
Employer-sponsored health plans that offer benefits through an insurance
contract with a health insurance company or HMO (Insured Plans) are also covered
entities under HIPAA. For Insured Plans, however, most of the compliance
responsibilities discussed above will fall on the insurer or HMO, since they are
already covered entities under HIPAA. For example, the insurer or HMO will
typically provide the Notice of Privacy Practices and handle compliance with regard
to the individual’s right to access and amend their records, and to obtain an
accounting of disclosures. The policy behind this limited-compliance approach for
the Insured Plan is that the insurance company or HMO will be providing these
individual rights and privacy protections in its own role as a covered entity, and the
incremental value of having the employer’s Insured Plan duplicate these activities
would not justify the additional burdens on the plan sponsor. The obligations of an
employer that sponsors an Insured Plan with regard to HIPAA compliance are
determined by the approach the plan takes to PHI.
a. The Hands-Off Approach. Insured Plans can reduce their privacy
obligations if they take a “hands-off” approach to PHI. An employer-sponsored
health plan is not subject to most Privacy Regulations requirements if it provides
benefits solely through an insurance contract with an insurer or HMO. To qualify
under this “hands-off” approach, the Insured Plan may not create or receive any PHI,
except in two limited situations. It may receive and use enrollment and
disenrollment information and it may receive and use summary health information for
the purpose of obtaining premium bids or modifying, amending, or terminating the
plan. 45 C.F.R. ? 164.504(f)(I)(ii). Even under this “hands-off” approach, there are
two obligations on the Plan sponsor. It cannot retaliate against or intimidate an
employee exercising his or her rights under the Privacy Regulations or require that
an employee waive his or her right to file a complaint with DHHS as a condition for
eligibility or participation in the plan. 45 C.F.R. ? 164.530 (g), (b), (j), and (k). If the
Insured Plan shares any PHI with the plan sponsor (employer) other than
enrollment/disenrollment information and summary health information, the plan
document must be amended as described above.
Most employers, as plan sponsors, have been more "hands on" in the past in
helping employees with billing or coverage problems with either the insurance
9 ? 2004 American Bar Association http://www.bna.com/bnabooks/ababna/annual/2004/shively.doc
company or the provider. A "hands off" employer must discontinue this practice
unless it obtains a signed authorization from the employee.
b. The Hands-On Approach. If the Insured Plan does create or receive PHI
in addition to enrollment/disenrollment and summary health information, i.e., it takes
a “hands-on” approach, it is generally subject to all of the Privacy Regulations requirements, including all of the administrative requirements discussed above, such
as appointing a privacy official, documenting its policies and procedures, and
providing training for its workforce. The responsibilities with regard to the notice of
privacy practices are reduced, however. The Insured Plan must prepare and
maintain a notice of privacy practices and provide that notice upon request (to
anyone), but is not required to distribute the notice to all plan participants.
All health plans, including all Insured Plans, must limit employer access to
PHI as described above and may not use health plan PHI for employment purposes.
Employer’s Receipt and Use of Employees’ Medical Information
HIPAA provides exceptions from the definition of PHI for medical information
found in employee records (45 C.F.R. ? 164.501) and for medical information
created pursuant to OSHA medical surveillance obligations. (45 C.F.R. ?
Employers may have an obligation under OSHA or state laws to conduct
medical surveillance on its employees. OSHA is authorized to adopt standards
requiring medical screening and surveillance in certain industries. Medical
screening is a method for detecting disease or bodily dysfunction in an individual
without current symptoms, but who may be at high risk for certain adverse health
outcomes. Medical surveillance, on the other hand, involves the analysis of health
information to look for problems that may be occurring in the work place that require
targeted prevention, and thus serves as a feedback loop to the employer. Thus,
OSHA can require medical surveillance to determine whether a given occupation
presents increased risks to employees, and, if it does, OSHA can then require
medical screening of employees in that occupation to monitor their exposure to the
increased hazards. Because an employer receives these medical records in its role
as an “employer,” it has no HIPAA responsibilities with respect to them. A provider,
however, does have HIPAA responsibilities before it may release these medical
records to an employer.
In order for a covered entity to disclose such information to the employer,
several requirements must be satisfied. First, the covered entity must either be an
on-site clinic or a clinic providing health care to an individual at the employer’s
request. The employer’s request must be in relation to “medical surveillance of the
workplace” or to evaluate whether the individual has a work-related illness or injury.
10 ? 2004 American Bar Association http://www.bna.com/bnabooks/ababna/annual/2004/shively.doc