Most employers have heard of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. In a nutshell, HIPAA requires that a “covered entity” maintain the privacy of personal health information (PHI). Most employers know that HIPAA provides privacy protection for health information – but don’t know whether it applies to them. This is because HIPAA’s privacy rule is commonly thought to apply to health care providers and not to employers. This assumption is incorrect; HIPAA applies to employer-sponsored health plans and, therefore, to employers who sponsor those plans.
What Is the Risk?
HIPAA’s privacy protections have been on the books for more than a decade, but, in practice, enforcement has been lax. Few employers outside of the health care industry have heard of HITECH. HITECH, passed in 2009, significantly enhances penalties for violations of HIPAA’s privacy rule, which puts employers who are “covered entities” under HIPAA at risk. HITECH has mandatory penalties for violation of HIPAA’s privacy rules; the Federal Office for Civil Rights (OCR) (within the U.S. Department of Health and Human Services) has stepped up HIPAA audits of “covered entities” that are subject to HIPAA. OCR has now begun levying significant monetary penalties for violations of HIPAA’s privacy rule. Penalties range from $100 per violation up to $50,000 per violation. In practice, OCR is not interested in small fines; penalties in the hundreds of thousands and even millions of dollars have been levied for what appeared at first glance to be small issues. For instance, in two separate situations when a covered entity reported in good faith to OCR that thieves had broken into its offices and stolen computers containing personal health information (PHI), OCR expanded the investigation to cover whether the covered entities had the appropriate policies, electronic safeguards and other required precautions in place – resulting in a $1.5 million fine in each instance, along with significant reporting obligations going forward. OCR has even fined the Alaska Department of Health and Social Services nearly $900,000. The cynical among us might suspect that the government’s budgetary crisis is pushing this new enforcement regime. The lesson here is that you cannot assume you are not a “covered entity” – you must make a positive determination that you are not covered or, if you are covered, that you have met your obligations. If OCR comes knocking, you may be able to avoid significant liability if you have a PHI breach by showing that you have engaged in a good faith attempt to meet your obligations. Expect OCR to be heavy-handed with employers who don’t know their obligations or who have not even tried to meet them.
Are You at Risk?
The first question is whether you as an employer are a “covered entity.” Employers who do not self-insure are generally not “covered entities” subject to HIPAA. However, the majority of employer health plans are self-insured, and most employers will have to obtain PHI to administer their plan. Many employers believe that they are not “covered entities” and do not obtain PHI because they hire a third party administrator (TPA) to manage their plan. This is generally untrue; there is frequently a flow of PHI between the TPA and the employer through the routine tasks of managing the self-insured plan.
There are other ways that an employer in the HVACR industry can become a “covered entity.” Health and wellness programs, employee assistance programs (EAPs), and medical reimbursement accounts and policies can turn an unsuspecting employer into a “covered entity.” Obviously, if an employer operates a health care clinic of some kind, it is a “covered entity.” If a third party is operating these plans/clinics, it is possible that the employer can avoid being a “covered entity”; however, that usually only occurs if the employer has strict policies in place to prevent the flow of PHI between itself and the third party administrator.
One of the larger misconceptions is that an employer who keeps records for FMLA, disability insurance, ADA or other employment-related purposes is a “covered entity.” An employer who receives this information for employment-related purposes, and not health care purposes, is not a “covered entity” under HIPAA (except for records maintained by a health plan). This does NOT mean, however, that there are no other protections for such information. For instance, the Genetic Information Nondiscrimination Act of 2008 (GINA) protects the privacy of genetic information acquired by an employer – this includes family histories, existence of genetically acquired diseases and so on. Furthermore, state privacy laws can add layers of protection that federal laws do not.
How Do You Maintain Compliance?
Every “covered entity” should have an annual review conducted internally to ensure that the privacy requirements of HIPAA and HITECH are being met. OCR will not consider a once-and-done review to be sufficient if there is a breach in later years. Each employer’s compliance program will be as unique as each employer’s operations are different. However, some common elements are: designate a HIPAA compliance officer; create privacy and security policies that comply with HIPAA and HITECH; determine which employees have access to PHI; limit access to PHI both operationally and in policy to those employees who “need to know”; review physical and encryption security for PHI; schedule annual reviews of policies, operations and regulations; create annual risk analyses and security plans; have policies in place regarding breaches of PHI security; schedule annual computer network security reviews; ensure all physical/documentary PHI is kept in a locked location; create policies for reviewing and shredding old documents; and ensure that no PHI is kept on any mobile digital device OR that you have appropriate policies and safeguards in place if such storage is necessary.
What About Social Networking?
Social networking technology has posed a new risk for employers. Ensure that your employees are educated on the risks of casually posting information on a social networking site. You should also have the appropriate policies in place to prohibit posting of PHI; however, an overbroad social networking policy can run afoul of the National Labor Relations Act (NLRA) and result in penalties being levied by the National Labor Relations Board. These policies should be reviewed by an attorney before publication to your employees to ensure they comply with both HIPAA/HITECH and the NLRA.
Christopher E. Ezold, Esq. is a partner with The Ezold Law Firm, P.C., a seven-attorney boutique law firm in suburban Philadelphia focusing on employment, business and health care law. Ezold acts as outside general counsel to employers and business clients and is
licensed to practice law in Pennsylvania, New Jersey and Delaware. Contact Ezold at 610/660-5585, [email protected] or visit www.ezoldlaw.com.