This question came from one of our partners last week, and I think this is worth a full blog topic. Are employers covered entities?
The short answer is yes if they provide group health insurance for their employees. HHS states that: A “group health plan” is one type of health plan and is a covered entity (except for self-administered plans with fewer than 50 participants – almost no company can meet this caveat).
So, let’s break this down. Health Plan has two definitions in the HIPAA law:
- A health insurance carrier that sells individual or group health, dental and/or vision insurance products
- A group health plan, under ERISA, which means any employee benefit plan (whether insured or self-funded and regardless of size) that provides health, dental and/or vision benefits.
Under the ERISA regulatory schema, the idea of the Health Plan being separate from the employer is a critical element, but the courts have largely ignored this distinction since there is so rarely a different level of control from the employer vs. the health plan. So we’ve said that the difference between an employer and a group health plan is the difference between you wearing two hats. It’s still the same person under the hat, just like Clark Kent is still Superman, even if he is wearing a pair of glasses.
Employers come into contact, sometimes store, and a lot of times control an employee’s Protected Health Information, which is regulated under HIPAA. You need to make sure that you have both Security and Privacy Policies and Procedures in place, and contracts with any business associates you use.
A covered entity has business associates: the health insurance agent, lawyers, accountants, IT contractors, paper shredding company, etc. It’s important to note that you will be sending Business Associate Agreements to these support people who possibly will see PHI, not Business Associate Subcontractor agreements. Covered entities don’t have subcontractors – they have business associates. It is your business associates that have subcontractors. Clear as mud, right?
Another responsibility you have is to train your employees that come in contact with PHI. We recommend you do this every year and HHS will look for confirmation of this training if they audit your company. Privacy and Security are very important, and there are stiff fines for your company if there is an issue. Make sure that your staff knows what their responsibilities are before they come in contact with PHI.