What HIPAA Regulations Apply to Employers?

TeachPrivacy

HIPAA TrainingKey Points About How HIPAA Regulations Apply to Employers

HIPAA generally does not apply directly to employers in their role as employers. However, there are some situations where employers may have HIPAA obligations:

  • If the employer administers a self-insured health plan.
  • If the employer acts as an intermediary between employees, healthcare providers, and health plans.
  • If the employer is a “covered entity” or “business associate” under HIPAA.

Even when HIPAA does not apply, employers often handle employee health information and should take steps to protect its privacy. Many state laws protect health data as well as privacy generally.

Fundamental HIPAA rules that may apply to employers in certain situations:

  • Privacy Rule: Defines protected health information (PHI) and specifies how it can be shared.
  • Security Rule: Requires safeguards to protect electronic PHI.
  • Breach Notification Rule: Requires reporting of PHI breaches.
  • Administrative Simplification: Sets standards for electronic healthcare transactions.

Best practices for employers to protect employee health information:

  • Implement clear privacy policies.
  • Limit access to health information.
  • Securely store health records.
  • Obtain employee authorization before collecting or sharing health data.
  • Keep PHI separate from general personnel files.
  • Provide HIPAA training for employees who handle PHI, as this is required by HIPAA. Please reach out to us if you need HIPAA training.

In summary, while HIPAA does not broadly apply to all employers, there are specific situations where employers may have HIPAA obligations. Even when HIPAA doesn’t apply, we recommend following HIPAA-like practices to protect employee health information because there are many other laws that may be applicable.

Prof. Daniel SoloveSince its founding by Professor Daniel J. Solove in 2010, TeachPrivacy has provided training for hundreds of organizations, boutique to Fortune 500, both nationwide and globally. A leading international expert in privacy law, Solove is a law professor at George Washington University Law School, has authored more than 10 books and more than 50 articles, as well as given lectures around the world. His LinkedIn blog has more than 1 million followers. Click here for more information about Professor Solove.