HIPAA for HR - Some Good News for Employers

13 February 2017 Labor & Employment Law Perspectives Blog
Author(s): Mark J. Neuberger Nick J. Welle

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that was enacted to ensure protection of individuals’ protected health information (PHI). The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) issued by the U.S. Department of Health and Human Services established detailed national standards for the protection of PHI.  In general, HIPAA protects individuals from the unauthorized use or disclosure any PHI.

What does this have to do with employers?  Well, most employers know that they almost always possess some health-related information on their employees.  This type of information can be found in the context of things such as workers’ compensation claims, fringe benefit administration, and administration of leave and absenteeism policies.  Accordingly, employers should be rightfully concerned about their compliance with HIPAA’s Privacy Rule.  However, for once, this newsletter is going to deliver some relatively good news to HR managers and in-house counsel.

First Piece of Good News: The HIPAA Privacy Rule only applies to “Covered Entities,” which are defined by the regulations as: (1) a health plan;  (2) a health care clearinghouse;  and (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.  The rules also apply to “Business Associates,” which are vendors that provide services involving PHI for or on behalf of Covered Entities.  Under this definition, Covered Entities includes health plans, health care clearinghouses, and health care providers.  Thus, the Privacy Rule WILL apply to employers if they somehow operate as a health plan, a health care clearing house, or a  health care provider or are providing certain services on their behalf. Most other employers will not be “Covered Entities.” As a result, employers providing health coverage to their employees through a health insurance policy will generally not be responsible for HIPAA compliance, because the insurance company is the covered entity (it is considered the health plan) and will be required to comply with HIPAA.  In these cases, the employer may subject itself to HIPAA if it affirmatively chooses to receive PHI from the insurer, but this is rare.

Caution for Self-Insured Plans:  The story is different, however, for those employers who sponsor health plans on a “self-insured” basis (i.e., the employer does not enter into a health insurance contract, but instead pays for the health benefits out of the employer’s general assets and typically engages a service provider to administer claims).  While the employer is still not considered a “Covered Entity,” the employer becomes the entity responsible for the health plan’s HIPAA compliance when the plan is not fully insured by an insurance company. Such employers may contract out most of the HIPAA obligations to a service provider, but they will still have some HIPAA responsibilities, and their employees are much more likely to have access to PHI.

Second Piece of Good News: Most of the information contained in an employer’s personnel files and records is not PHI.  The regulations state that “Protected health information excludes individually identifiable health information … in employment records held by a covered entity in its role as an employer.”  Thus even the information held in employment records by health care institutions is generally not governed by HIPAA.

Third Piece Of Good News: Inquiring HR managers who have read this far are thinking “OK, but what about workers’ compensation claims?  I get a lot of detailed medical information on my claimant employees.  That has to be protected.”  Here too the Privacy Rule gives employers a break.  The rule recognizes that employers, along with their workers’ compensation insurers and claims administrators, have a legitimate need to access detailed medical records in order to efficiently administer the workers’ compensation system.  In many cases, the Privacy Rule allows Covered Entities, those actually providing the medical treatment to your injured employees, to disclose treatment information without violating HIPAA.

The fact that the information you maintain in employment records about your employees is not necessarily regulated by HIPAA should not be the basis for ignoring employees’ legitimate privacy concerns.  Employers may be subject to various state privacy laws, which afford different and additional protections to employees than does HIPAA.  Additionally, employers may have to deal with a knowledge gap in that many employees firmly, but wrongly, believe they are entitled to HIPAA protection over their workplace medical records. This is a complicated and constantly evolving area of the law, so employers should consider taking the following steps:

  • Understand whether the employer has heightened HIPAA obligations, for example, if the employer maintains a self-insured group health plan, and confirms that appropriate policies, procedures, and training programs are in place.
  • Develop policies and procedures to secure what employees believe are their confidential medical records. Train your management as to what they can ask and what they would be better off not asking.  It may not be PHI, but that doesn’t mean you want TMI (Too Much Information). TMI is information you don’t really need to make appropriate management decisions.  The fact you have TMI can be used by an employee to make out the elements of a discrimination claim.
  • Even though not necessarily PHI, it’s a best practice when asking your employees to provide any medical information — be it to administer leave, fringe benefits, or workers’ compensation — to get a properly drafted release and consent from the employee.
  • Whenever an outside party seeks to obtain medical information from your files, such as when your organization is served with records subpoena, get competent legal advice.

While this article presents most good news for HR managers, laws regulating the privacy of medical records are complicated and ever-evolving; so be sure to stay abreast of the latest developments and seek the counsel of appropriate experts.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services


Episode 3: The Future Powered By Hyperscale Cloud Computing with David Sloan of Microsoft
06 December 2022
Innovative Technology Insights
2023 M&A Outlook
05 December 2022
Foley Ignite
COVID-related Form I-9 Remote Verification Flexibilities Extended Through July 31, 2023
05 December 2022
Labor & Employment Law Perspectives
Learnings from Recent Physician Practice Private Equity Transactions
05 December 2022
Health Care Law Today
What You Should Know About Payor/Provider Convergence
25-26 January 2023
Los Angeles, CA
ATA EDGE2022 Policy Conference | American Telemedicine Association
7-9 December 2022
Washington, D.C.
CLE Weeks
5-16 December 2022
Milwaukee, WI
Foley Sponsors Ernst & Young Entrepreneur of the Year® Program
1 December 2021 - 30 November 2022
Michigan and Northwest Ohio Region