|
|
HIPAA/LAW:
Legal Q/A
June 2002
"Covered Entities as Employers -- How Does HIPAA Apply?"
by Steve Fox, Esq., & Rachel Wilson, Esq.,
Pepper Hamilton LLP
QUESTION: As a healthcare "covered entity," does
my organization also have HIPAA responsibilities as an employer?
ANSWER: If your organization is like most health care providers,
health plans, and health care clearinghouses subject to HIPAA's
administrative simplification provisions ("Covered Entities"),
it is very aware of its obligations to maintain the privacy and
security of certain patient health information. Toward that end,
you and your colleagues are likely in the process of implementing
the safeguards, procedures, and policies necessary to provide patients
with at least a minimum standard of privacy protection. All of which
is great - but you cannot forget to include protections for the
health information of your employees. HIPAA is applicable to you
in your role as employer as well as Covered Entity.
Employers are not Covered Entities subject to direct regulation
under HIPAA. However, in their role as group health plan sponsors,
employers generally have certain compliance obligations under HIPAA's
privacy rule (the "Privacy Rule") as business associates.
These obligations arise out of the functions performed by the plan
sponsor in connection with the administration of benefits.
Any protected health information ("PHI") that is used
or disclosed to perform such functions is protected under HIPAA,
as are the corresponding activities carried out by the plan sponsor's
workforce. Accordingly, health plans may not release PHI to plan
sponsors unless and until such sponsors certify that the plan documents
have been amended to incorporate provisions
that:
- establish the permitted uses and disclosures of PHI,
- prohibit the use or disclosure of PHI except as permitted or
required by the plan documents or as required by law;
- ensure that any agents, to whom the plan sponsor provides PHI,
are bound by the same restrictions and conditions that apply to
the plan sponsor with respect to such information;
- prohibit the plan sponsor from using or disclosing PHI for
employment-related actions and decisions or in connection with
any other benefit or benefit plan;
- require the plan sponsor to report any use or disclosure of
the PHI that is inconsistent with the permitted uses and disclosures;
- make certain that PHI will be made available to individuals
in accordance with the applicable terms of the Privacy Rule; and
- ensure separation between the plan sponsor and the plan.
This latter item is to be accomplished by restricting the use and
disclosure of PHI, limiting access to PHI, and developing a mechanism
to resolve issues of noncompliance with such use, disclosure, and
access restrictions.
The proposed security rule under HIPAA (the "Security Rule")
will also likely have application to Covered Entities in their role
as employers. Although plan sponsors are not Covered Entities, they
may, nevertheless be required to comply with the Security Rule by
executing chain of trust agreements to insure the security of data
transmitted electronically between the sponsor and Covered Entity.
Read past HIPAA Legal Q/A articles.
Steve Fox, Esq., is a partner at the Washington, DC office of Pepper
Hamilton LLP. This article was co-authored by Rachel H. Wilson,
Esq., of Pepper Hamilton LLP. www.pepperlaw.com
Disclaimer: This information is general in nature and should not
be relied upon as legal advice.
|
 |
 |
