• Employers are subject to the HIPPA privacy rule when they self-insure or have entered into an insurance agreement, but receive, manage, or disclose PHI as a group health plan.
• Employers that are not self-insured but that perform certain record-keeping functions, such as transmitting individuals’ health records to a group plan, are also subject to the HIPPA privacy rule.
• Individuals may authorize disclosure of PHI and covered entities must provide notice of patient’s privacy rights and privacy practices to affected individuals.

Employers are covered by the HIPAA privacy rule when they self-insure or when they have entered an insurance agreement, but receive, manage, or disclose protected health information (PHI) as a group health plan. An employer that is not self-insured but that performs certain record-keeping functions, such as transmitting individuals’ health records to a group plan, is also subject to the rule.

In general, privacy is about who has the right to access information that identifies an individual, the individual’s physical or mental health condition, the health care that the individual has received, or payments for such care. PHI does not include summary health information which excludes the individual’s name or other identifying information. The privacy rule covers all PHI in the hands of covered entities or their business associates, regardless of whether it is or has been in electronic form.

HIPPA privacy standards

Generally, the privacy standards:

• Limit the non-consensual use and release of PHI;
• Give patients’ rights to access their medical records and know who has accessed them;
• Restrict most disclosure of health information to the minimum needed for the intended purpose;
• Establish new criminal and civil sanctions for improper use or disclosure; and
• Establish new requirements for access to records by researchers and others.

Employer requirements

As representatives of the plan, employers should evaluate and take the following steps (this list is not exhaustive):

• Be aware of the rule and its requirements;
• Review any group health plan documents and amend the plan(s), as necessary, to deal with the transmission of PHI from the plan to the employer;
• Develop the appropriate notices (discussed below);
• Review vendor (business associate) contracts to address the transmission of PHI outside the plan for administrative purposes and to ensure the business associate and any subcontractors take the appropriate steps to also safeguard PHI;
• Train key managers, supervisors, and officers how to deal with PHI to the extent their job duties require contact;
• Develop appropriate policies, with measures taken for violators;
• Appoint a privacy officer; and
• Develop procedures for obtaining authorization for the disclosure of PHI and responses to any inappropriate disclosure of PHI.

Authorized disclosure of PHI

Individuals may authorize the disclosure of their PHI. Authorizations are an individual’s signed permission to allow a covered entity to use or disclose the individual’s PHI that is described in the authorization for the purpose(s) and the recipient(s) stated use in the authorization. Authorizations allow additional, specific uses of health information beyond treatment, payment, and health care operations to be released.

Notice of privacy rights

Covered entities must provide notice of patient’s privacy rights and the privacy practices to affected individuals. The notice must explain how PHI may be used and disclosed. The notice also needs to contain the individuals’ rights with respect to the PHI, how the individuals may exercise their rights, the covered entity’s legal duties with respect to PHI, and who individuals can contact for further information. The notice must also have an effective date.