This paper examines the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and its implications for employers outside the traditional healthcare industry. It explains the definition of Protected Health Information (PHI), key exceptions, and the four core components of the Privacy Rule. The paper outlines the specific compliance steps employers sponsoring group health plans must take, including amending plan documents, establishing firewalls, appointing privacy officers, and training staff. It also addresses limited circumstances under which PHI may be shared without employee authorization, such as OSHA-related workplace surveillance, and concludes with a review of civil and criminal penalties for noncompliance.
The paper demonstrates effective policy analysis by moving from broad statutory definitions to specific employer obligations and then to consequences for noncompliance. This layered structure — define, apply, enforce — is a strong model for writing about regulatory frameworks in law, health policy, or business compliance contexts.
The paper opens by defining HIPAA and PHI, including key exceptions. It then enumerates the Privacy Rule's four components before pivoting to employer-specific obligations as plan sponsors. A detailed compliance checklist section follows, with particular attention to firewalls and plan document amendments. The paper then carves out permitted disclosures under OSHA and MSHA, and closes with a graduated penalty schedule to underscore the cost of noncompliance.
The Health Insurance Portability and Accountability Act (HIPAA) went into effect in the first quarter of 2003. HIPAA creates federally mandated requirements regarding Protected Health Information (PHI) that can affect any employer, regardless of its size, location, or industry. Government estimates place the price tag for compliance within the public and private sectors at approximately $22 billion. While the Privacy Rules were not aimed at regulating non-medical employers, employers who sponsor group health plans are affected, depending on whether the employer: (1) is fully insured or self-insured; and (2) creates or receives Protected Health Information.
Protected Health Information (PHI) is defined to include all individually identifiable health information held or transmitted by a covered entity or business associate, whether electronically or in other forms (Amatayakul, 2000). There are, however, some important exceptions. One significant PHI exception is that the Privacy Rules do not apply to employment records, including medical information employers use to comply with various disability laws such as the Americans with Disabilities Act (ADA), workers' compensation requirements, workplace disability policies, or substance abuse rules (Lax, 2002). Employers solely using medical information for compliance with disability laws and workplace policy administration are not covered. Another important exception involves de-identified health information, which is useful to employers in administering their health plans.
There are four core components of the Privacy Rules (Amatayakul, 2000):
1. Use and Disclosure Rules: These provide for written consents that may be obtained for treatment, payment, and related health care operations. Written authorization is required to use PHI for purposes other than treatment, payment, and related health care operations, such as marketing.
2. Privacy Practices Notice: This mandates that a privacy notice be given to the individual whose health information is being used, with the same notice provided to anyone who requests that information.
3. Individual Rights Provisions: These preserve the individual's right to access and amend their information, obtain an accounting of disclosures, and secure additional protections.
4. Administrative Requirements: These include designating a privacy officer, providing a complaint responder, conducting employee training, and establishing security policies — including firewalls to secure information (Lax, 2002).
The healthcare industry is familiar with HIPAA's Privacy Rule; however, many outside the industry are not necessarily aware of the significant impact the Privacy Rule may have on them. All employers that provide healthcare coverage to their employees — either through a fully insured or self-insured health plan — are affected by the Privacy Rule and must comply with it. The U.S. Department of Health and Human Services (HHS) is not authorized to regulate employers directly; however, employers are regulated under the Privacy Rule indirectly, through the group health plans they establish.
A group health plan is considered a "covered entity" and is therefore directly regulated, unless it is a small, self-administered plan with fewer than 50 participants. Many group health plans are contractual entities with no independent assets. Although not directly covered by the Rule, employers acting as "plan sponsors" who administer group health plans are responsible for ensuring that the mandates of the Privacy Rule are met. For example, although a Business Associate Agreement is not required for disclosures of PHI between a group health plan and the plan sponsor, the employer must voluntarily agree to use or disclose such PHI only as permitted or required by the Privacy Rule.
Subject to certain exceptions, the major steps an employer must take to comply with the Privacy Rule with respect to use and disclosure of PHI between the group health plan and the plan sponsor are as follows:
1. Create privacy policies and procedures that ensure all PHI relating to employees is adequately protected in compliance with the Privacy Rule.
2. Amend group health plan documents to specify how the use of PHI will be restricted to the purposes permitted by the Privacy Rule.
3. Establish policies and procedures to ensure that consent is obtained from an employee prior to using PHI for purposes such as enrollment in a group health plan.
4. Establish "firewalls" between personnel (and workspace) associated with handling PHI for the purposes of administering the group health plan and the rest of the employer's personnel and operations.
You’re 42% through this paper. Sign up to read the remaining 3 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.