Previous PageNext Page

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") imposes a very detailed series of administrative requirements on covered entities[1] that use or disclose certain individually identifiable health information[2], referred to as protected health information[3] or PHI.  There are no restrictions on "de-identified health information."[4]

For detailed information, see Other helpful websites are and

HIPAA does not apply to medical records that are considered “employment records.” In determining what medical information is to be treated as PHI under HIPAA, the focus should be on the basis for obtaining the information, not the nature of the information. Information obtained by an employer in its role as an employer is generally not considered PHI. For example, if an employee submits medical records for the purpose of FMLA leave certification or workers’ compensation benefits, those records are employment records, not PHI.  Employment records may, however, be subject to other laws regarding use and disclosure.

HIPAA's privacy requirements, called the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule"), were issued by the U.S. Department of Health and Human Services ("HHS").  There is an exclusion from the Privacy Rule and Security Rule for employer-sponsored health plans that are entirely self-administered and have fewer than 50 participants,[5] but this is a very limited exception.

The Privacy Rule defines and limits the circumstances in which an individual's PHI may be used or disclosed by covered entities.  The Security Rule seeks to assure the security of confidential patient information used by covered entities.

The term "covered entity" does not include employers who create and sponsor group health plans.  However, most employers are affected by the Privacy Rule and Security Rule, either indirectly or directly as a "fiduciary" of a health care plan under the Employee Retirement Income Security Act of 1974 ("ERISA").  As a practical matter, therefore, employers, as plan sponsors, may be required to comply with the Privacy Rule and Security Rule requirements.

(a) Small Employers' Obligations under the Privacy Rule

The Privacy Rule provides for several administrative requirements that group health plans must adopt.  The extent of a plan sponsor's compliance with such administrative requirements depends on whether the sponsored health plan is fully-insured or self-insured.  Certain fully insured plans are exempted from most of the administrative requirements.

The administrative requirements provide for plans to designate a privacy official responsible for developing and implementing privacy policies, and a contact person responsible for receiving complaints and providing privacy information.[6]  The plan should consider how the first and successor privacy officers will be appointed, as well as the duties of this position. 

Further, plans must train all workforce members, including employees, volunteers, trainees and other persons whose conduct is under the direct control of the plan entity, on privacy policies and procedures, as necessary and appropriate for them to carry out their functions.[7]  If it is necessary for an employee to handle PHI to perform his or her duties, that employee must be trained with respect to the policies and procedures adopted by the plan. 

Plans must maintain reasonable and appropriate administrative, technical and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule,[8]  A plan must have and apply appropriate sanctions against employees who fail to comply with its privacy policies and procedures[9].  In the event there is a breach of the Privacy Rule or the plan’s policies and procedures, the plan should have procedures in place to mitigate the harmful effects of the breach.[10]

Plans must maintain procedures for individuals to complain about compliance with the policies and procedures and the Privacy Rule.[11]

Plans must not retaliate against a person for exercising rights under the Privacy Rule or require a waiver of any right under the Privacy Rule as a condition for obtaining treatment, payment and enrollment or benefits eligibility,[12]

Plans must maintain, until six years after the later of the date of their creation or last effective date, privacy policies and procedures, privacy practices notices, dispositions of complaints and other actions, activities and designations that the Privacy Rule requires to be documented.[13]

Plans should have a procedure for amending its policies and procedures both with respect to the plan sponsor's changing needs and changes in the law.  For "business associates"[14] of the plan, the plan should have policies and procedures for dealing with these individuals or entities, including negotiating the terms of a business associate agreement.[15]

Plan participants have certain rights under the Privacy Rule such as the right to request access to their health information or to request that their health information be amended.[16]  The plans should have procedures for responding to such requests in the time and manner required under the Privacy Rules.

Nonprofits who do not fall within the "fully insured" exception described below must comply with the policies and procedures listed above.  The policies and procedures must be reasonably designed, taking into account the size and type of activities that the plan takes with respect to protected health information.

Certain fully-insured group health plans are exempted from most of the administrative obligations listed above.  In order to minimize the extent to which the a plan sponsor is required to comply with HIPAA, the group health plan should be a fully insured health plan or HMO, and the plan sponsor should receive only (1) summary health information, (2) information on whether any individual enrolled or disenrolled or is participating in the plan, (3) de-identified information or (4) no health information.  While such an arrangement is a covered entity for purposes of the Privacy Rule, the group health plan is not required to maintain a privacy policy notice; rather, the insurer should maintain the notice.  The plan sponsor's requirements under HIPAA are limited to (1) the ban on retaliatory acts and waiver of individual rights, and (2) documentation requirements (as described further below), if plan documents are amended to provide for the disclosure of PHI to the plan sponsor by a health insurance issuer or HMO that services such covered entity.[17]

A plan is generally only permitted to disclose to its plan sponsor enrollment and certain summary health information.  However, unless a plan falls under the fully-insured exception, the plan sponsor will likely receive more information than is otherwise permitted simply because of requests by employees for assistance with claims.  Employers who receive PHI relating to employees participating in a sponsored plan must amend the plan document to require the employer to adhere to the Privacy Rule and certify that it has done so prior to receiving any PHI from the plan.  The employer must further agree (1) not to use or further disclose the PHI other than as permitted or required by the plan documents or as required by law, (2) to ensure that any agents, including subcontractors, to whom it provides PHI received from the plan agree to the same restrictions and conditions that apply to the plan sponsor with respect to such information, (3) not to use or disclose the PHI for employment-related actions and decisions or in connection with any other benefit plan of the same employer, (4) to report to the plan any use or disclosure of the PHI that is inconsistent with the uses or disclosures provided for in the plan document, (5) to make its internal practices, books and records relating to the use and disclosure of PHI available to HHS for the purposes of determining compliance with the Privacy Rule, and (6), if feasible, to return or destroy all PHI received from the plan that the employer still maintains in any form and retains no copies of such information when no longer needed for the purpose of which disclosure was made.[18]

There are several potential issues that nonprofits should be sensitive to with respect to the Privacy Rule.  First, even in a fully insured environment, some employees may seek assistance from the covered entity in dealing with the insurance company.  If someone in the covered entity assists employees in filing health claims with an insurer, the covered entity will have access to access to a certain amount of health information, and this access will trigger more extensive HIPAA obligations.

Another area of concern is flexible spending accounts, or FSAs, under medical plans, which are by definition not fully insured arrangements.  If a nonprofit maintains a health FSA, there is a concern that employees will be disqualified from taking advantage of the Privacy Rule's "fully insured" exemption from the notice and other administrative requirements.  If a nonprofit maintains an FSA, it may wish to delegate compliance with the Privacy Rule's administrative requirements to third party vendors.

Further, in some cases, plan sponsors will contract with third party providers to administer the COBRA rights of participants.  Even in a fully insured environment, the relevant plan is still likely subject to the Privacy Rule.  If so, the plan would be required to amend the contract with the third party provider, which would be considered a "business associate" to include certain provisions.

(b)        Small Employers' Obligations under the Security Rule

The Security Rule, as with the Privacy Rule, has a complete exception for self-administered group health plans under ERISA with fewer than 50 participants.

While the Privacy Rule applies to all PHI, the Security Rule protects only a portion of this category of information – electronic protected health information ("ePHI").[19] Where, however, the PHI being exchanged did not exist in electronic form before the transmission, it is not ePHI.  In the administration of a group health plan, examples of ePHI might include, email transmissions of "explanations of benefits," secured networks with third party administrators (including those of health flexible spending arrangements "HFSA") that transmit and receive claims information, information regarding the status of a HFSA account, or whether a particular claim has been satisfactorily substantiated, and reports generated regarding claims experience in a self-funded health plan.

While, as mentioned above, the Privacy Rule provides that group health plans that are (i) fully insured and (ii) have no access to protected health information, are exempt from many of the Privacy Rule's administrative requirements, there is no such exemption under the Security Rule.  Thus, a plan that is not otherwise excluded from the requirements of HIPAA and that transmits, maintains or otherwise has access to ePHI must comply with the Security Rule.  The Security Rule will have an impact on most small health plans, but will not affect all plans in the same way.  This is because the Security Rule was designed using guidelines rather than hard and fast rules. In general though, those employers with fully insured plans will be affected less significantly than those with self-insured plans because of a self-insured plan sponsor's greater level of access to ePHI.

The steps a plan sponsor needs to take to comply with the Security Rule depend in part on the level of the plan sponsor's access to ePHI.  The Security Rule is made up of specific "standards" and "implementation specifications."[20]  Plans must comply with all standards based on (i) risk assessment, (ii) the provisions of the specific standards and implementation specifications, and (iii) the flexibility permitted under the Security Rule.

The overall goal of the Security Rule is to ensure that covered entities comply with the following general security standards: (1) ensure the confidentiality, integrity, and availability of all ePHI the plan creates, receives, maintains, or transmits, and protect against any reasonably anticipated threats or hazards to the security or integrity of such information, (2) protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule, and (3) Ensure members of the company's workforce comply with the Security Rule.[21]

Most of the standards include one or more "implementation specifications," which are instructions for implementing the applicable standards.  Some implementation specifications are "required" and others are "addressable".  The Security Rule permits covered entities to use any measures that will reasonably and appropriately implement the Security Rule's standards and implementation specifications. This flexibility is to be guided, however, by taking the following factors into account: (1) the size, complexity, and capabilities of the covered entity, (2) the covered entity's technical infrastructure, hardware, and software security capabilities, (3) the costs of security measures, and (4) the probability and criticality of potential risks to ePHI.[22]

To determine whether to "address" an implementation specification designated by the Security Rule as being "addressable," a covered entity must first assess whether the specification is reasonable and appropriate for that entity.  If the specification is determined to be a reasonable and appropriate safeguard, the entity must implement the specification.  If the entity determines that the addressable implementation specification is not a reasonable and/or appropriate answer to the entity's security needs, the entity must either implement another equivalent measure if reasonable and appropriate, or not implement the specification or any equivalent alternative measure at all.[23]

If the covered entity chooses to implement an equivalent alternative measure, it must document the decision not to implement the addressable specification, the rationale behind implementing the alternative specification, and the alternative measure implemented.[24]  If the covered entity chooses not to implement the specification or any equivalent alternative measure, it must document the decision not to implement the addressable specification, the rationale behind not implementing the specification, and how the standard is being met.[25]  Thus, in order to decide that an addressable specification not be implemented in any form, the covered entity must determine that the standard can be satisfied without implementation of an alternative measure in place of the addressable implementation specification.

Covered entities must examine each of the specific standards under the following safeguards and determine how best to meet them.

Administrative safeguards are administrative actions, and policies and procedures, designed to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity's workforce in relation to the protection of that information.[26] 

Physical safeguards are physical measures, policies and procedures to protect the plan's electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.  The Security Rule requires covered entities to implement physical safeguards for its electronic information systems whether such systems are housed on the plan's property or at another location.[27]

Technical safeguards refer to the policies and procedures for using technology to protect ePHI and control access to it. The Security Rule does not require the use of any specific technologies.[28]

Similar to the Privacy Rule's conditions with respect to PHI, if a covered group health plan discloses ePHI to its plan sponsor, an amendment to the plan documents may be required.  If the only ePHI disclosures the plan makes to the plan sponsor involve enrollment or certain summary health information, or information pursuant to an authorization, no amendments to the plan documents are required.  If, however, the plan makes other types of disclosures to the plan sponsor, the plan documents must be amended.[29]

As with the Privacy Rule, the Security Rule requires that policies and procedures be adopted to comply with the applicable standards and implementation specifications. These policies must be documented in writing.  In addition, any actions, activities or assessments required under the standards must be documented, including the decision of whether or not to take a particular action, why it was the appropriate action for the plan, and the factors taken into account.[30]

The Security Rule requires that documentation be retained generally for 6 years. However, it must be available to those responsible for implementing procedures to which the documentation pertains.  Lastly, documentation must be reviewed periodically and updated as needed to maintain the security of ePHI under changing circumstances.[31]

(c)        Enforcement

Within HHS, the Office of Civil Rights ("OCR") has responsibility for implementing and enforcing the Privacy Rule and the Center for Medicaid and Medicare Sciences ("CMS") has responsibility for implementing and enforcing the Security Rule with respect to voluntary compliance activities and civil money penalties.  The OCR can impose a penalty not exceeding $100 per violation against any person who violates the Privacy Rule.[32]  The total amount that the OCR can impose on an individual for all violations of an identical requirement or prohibition cannot exceed $25,000 during a calendar year.[33]  HIPAA also allows a criminal penalty to be assessed where a person knowingly and in violation of the Privacy Rule either obtains individually identifiable health information relating to an individual, or discloses individually identifiable information to another person.[34]  Similarly, CMS can impose civil penalties ranging from $100 to $25,000 with respect to violations of the Security Rule.

(d)       Preemption

The relationship of HIPAA to the state privacy laws noted above and ERISA is complex.  As a general rule, HIPAA will preempt state laws that are contrary to the Privacy Rule or Security Rule.[35]  "Contrary" means that it would be impossible for a covered entity to comply with both state and federal requirements, or that the provision of state law is an obstacle to accomplishing the full purposes and objectives of HIPAA.   However, there is a specific exception that is potentially very important for employer sponsored health plans - "more stringent"[36] state laws, i.e., laws that afford greater protection to individuals' privacy rights, will not be preempted.  For example, the New York law with respect to on-site clinics noted above would not be preempted.  Other laws that will not be preempted include laws that provide for the reporting of disease or injury, child abuse, birth or death, or for public health surveillance, investigation or intervention, and laws that require certain health plan reporting, such as for management or financial audits.  There is very little case law providing guidance as to whether a particular state law is "more stringent" than HIPAA.  Further, HHS has indicated that it does not intend for the Privacy Rule or Security Rule to replace the current ERISA preemption scheme.[37]  Unfortunately, the ERISA preemption analysis is not a straightforward one:  while the United States Supreme Court has addressed the ERISA preemption issue on a number of occasions, its position has evolved over time (although no prior precedents have been overruled).[38]  Therefore, it will be important to consult with counsel as to whether a particular state privacy law may be preempted.



[1] These entities are health plans, health care clearinghouses, and health care providers that transmit claims electronically in standard transaction format. Therefore, even if an employer maintained an on-site clinic, it is highly unlikely that it would be a covered entity because it would not transmit claims electronically in standard transaction format.  If, however, your organization's clinic fits within that highly unusual fact pattern, your organization will be subject to the HIPAA policies and procedures, the scope of which is beyond the scope of this handbook.  Note also that HIPAA does not directly regulate employers, in the sense that employers are not covered entities for purposes of HIPAA.  However, as a practical matter, employers will need to ensure that their health plans are in compliance with HIPAA.  Note also that an employer and its group health plan are regarded as separate entities for HIPAA purposes.

 [2] Health Information is defined as any information that is created or received by a Covered Entity or an employer and relates to the past, present or future physical or mental health of an individual.  Individually Identifiable Health Information is Health Information that is created or received by a Covered Entity or an employer and identifies the individual (including by name, address or social security number) who is the subject of the Health Information or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 

 [3] Protected Health Information (PHI) is Individually Identifiable Health Information that is transmitted or maintained by or in electronic media or is transmitted or maintained by or in any other form or medium.  For example, PHI may be contained in paper documents and files, magnetic tapes, CDs, Internet transmissions and oral discussions. Individually identifiable health information means information (i) collected from an individual; (ii) created or received by a health care provider, health plan, or health care clearinghouse; (iii) that relates to the provision of health care to an individual or the past, present or future payment for health care; and (iv) that identifies the individual or that can be used to identify the individual. 45 CFR § 164.501.  Protected health information does not include employment records held by a covered entity in its role as an employer. 45 CFR § 164.501, protected health information definition (2).

 [4] De-identified health information consists of information from which identifiable information such as names, telephone and fax numbers, all elements of dates, geographical information and social security numbers has been removed in accordance with 45 CFR § 164.514.

 [5]  45 CFR § 164.501, definition of "group health plan".

 [6] 45 CFR § 164.530(a)

 [7] 45 CFR § 164.530(b)

 [8] 45 CFR § 164.530(c)

 [9] 45 CFR § 164.530(e)

 [10] 45 CFR § 164.530(f)

 [11] 45 CFR § 164.530(d)

 [12] 45 CFR § 164.530(g)-(h)

 [13] 45 CFR § 164.530(j)

 [14] In general, "business associate" means, a person who performs on behalf of the covered entity any function or activity involving the use or disclosure of PHI; and is not a member of the covered entity's workforce.  The definition of "function or activity" is all encompassing: legal, actuarial, accounting, consulting, data processing, management, administrative, accreditation, financial services and anything else for which a covered entity might contract out are included, if access to PHI is involved.  A covered entity may be a business associate of another covered entity. 45 CFR § 164.103

 [15] 45 CFR § 164.502(e)

 [16] 45 CFR § 164.502(a)(1)

[17] 45 CFR § 164.501(k)

 [18] 45 CFR § 164.505(f)(2)

 [19]  ePHI is protected health information that is transmitted by or maintained in "electronic media." In general, "electronic media" means (1) certain types of electronic storage media such as a hard drive and any removable/transportable digital memory medium, such as a flash drive, and (2) information already in electronic storage media, such as the internet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media.

 [20] 45 CFR § 164.306(c)-(d)

 [21] 45 CFR § 164.306(a)

 [22] 45 CFR § 164.306(b)(2)

 [23] 45 CFR § 164.306(d)(3)

 [24] 45 CFR § 164.306(d)(3)(ii)(B)

 [25] 45 CFR § 164.306(d)(3)(ii)(B)

 [26] 45 CFR § 164.308

 [27] 45 CFR § 164.310

 [28] 45 CFR Part B subpart 2

 [29] 45 CFR § 164.314(b)

 [30] 45 CFR § 164.316

 [31] 45 CFR § 164.316(b)(2)

 [32] 42 USC § 1320d-5(a)

 [33] 42 USC § 1320d-5(a)

 [34]  42 USC § 1320d-6(a)

 [35] 45 CFR § 160.202

 [36] 45 CFR § 160.202

 [37]  65 Fed. Reg. 82582 (December 28, 2000).

 [38] Section 514(a) of ERISA preempts all state laws that "relate to" any employee benefit plan. In New York Conference of Blue Cross and Blue Shield Plan v Travelers Insurance Co. 514 U.S. 645 (1995), the United States Supreme Court stated that the phrase "relates to " was too general to be a meaningful guide in determining what state laws ERISA preempts. The Court stated that the analysis must look to ERISA objectives as a guide, and began with the presumption that in enacting ERISA, Congress did not intend to supplant state law in fields of traditional state regulation such as health care. It is presently unclear whether states privacy laws are preempted by ERISA, and the analysis will be made on a case by case basis.


Previous PageNext Page