Many employers who have had it drilled into them that HIPAA applies to protected health information (PHI) of employees are often surprised to learn that the applicability of HIPAA to employee health information (EHI) is actually quite narrow. HIPAA only applies to EHI related to the employer’s group health plans (such as medical, dental, employee assistance program (EAP) and health flexible spending arrangement (FSA)). Employer-sponsored group health plans are HIPAA covered entities. Further, although this is true regardless of whether the group health plan is insured by an insurance company or self-insured by the employer, the employer will not generally have HIPAA compliance responsibilities for an insured group health plan if it does not receive any EHI other than for the limited purpose of enrollment activities, or summary health information for amending or terminating the plan or obtaining premium bids. Instead, for a fully-insured group health plan, HIPAA compliance will generally be handled by the insurance company, which is also subject to HIPAA as a covered entity.
HIPAA doesn’t apply to EHI that the employer obtains from a source other than its group health plans, such as medical information related to employment (including pre-employment physicals, drug testing results, medical leave or workers’ compensation) and information from other employment-related benefits that are not group health plans (such as life or disability insurance). This result does not change merely because the employee’s health information is PHI when held by a HIPAA-covered entity health care provider who tested or treated the employee before the information was transferred to the employer via a HIPAA-compliant authorization.
Even though EHI obtained by an employer for employment-related reasons or relating to non-group health plan benefits isn’t subject to HIPAA, this doesn’t mean the employer can throw caution to the wind. Other federal and state laws (such as the Family and Medical Leave Act (FMLA), Americans with Disabilities Act (ADA) and state workers’ compensation laws) impose restrictions on the employer’s access to and use and disclosure of this EHI and impose obligations to maintain confidentiality of the EHI. These restrictions and obligations apply regardless of how the employer obtains the EHI (for example, even if obtained pursuant to an authorization signed by the employee or directly from the employee).
Because other laws protect EHI even when HIPAA does not, it’s often helpful for the employer to apply the same or similar safeguards to all EHI, even if HIPAA does not apply. Applying HIPAA-like safeguards to EHI that isn’t subject to HIPAA not only will often bring the employer a long way towards complying with other federal and state laws that may apply; it may also avoid the necessity of categorizing types of EHI to determine what level of safeguards should be imposed.