Overview of HIPAA Privacy and Security rules that employers and HR professionals should know

By now we have all come across the term “HIPAA” referred to in one form or another, whether at the doctor’s office, on the news, or at work.  The term is an acronym derived from the “Health Insurance Portability and Accountability Act of 1996”, which is actually an amendment to the Internal Revenue Service Code. 

HIPAA includes provisions that regulate health information privacy, portability, and continuity of health insurance, administration of health insurance, medical savings accounts, and long-term care insurance.


In this blog article, we will walk through the HIPPA privacy rule. It is the part of HIPPA that you, as an employer or HR professional need to know to make sure that you can handle your employees’ health information properly and keep them confidential and safeguarded.


Disclaimer: The information contained in this article is merely an overview of some of the requirements of HIPAA and should not be relied on as legal information or advice.  Readers are encouraged to seek detailed information from the OCR website at http://www.hhs.gov/ocr/hipaa.



Health Insurance Portability and Accountability Act of 1996 consists of 5 major sections as follows:

Title I: Health Care Access, Portability, and Renewability

Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform

Title III: Tax-related health provisions governing medical savings accounts

Title IV: Application and enforcement of group health insurance requirements

Title V: Revenue offset governing tax deductions for employers


Title I protects health insurance coverage for workers and their families when they change or lose their jobs. Title II requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts, Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies.


The Administrative Simplification provisions, found in Title II, sections 261 through 264 of the Act requires the Secretary of the U.S. Department of Health and Human Services (“HHS”), to publicize standards for the electronic exchange, privacy and security of health information.  As such, the Office for Civil Rights (“OCR”), within HHS, was tasked with implementing and enforcing compliance activities and civil money penalties with respect to the Act.  To that end, they promulgated a Privacy Rule, which is formally known as “Standards for Privacy of Individually Identifiable Health Information”.  A major objective of the Privacy Rule regulation is to assure the protection and confidentiality of an individual’s health information. 


Who must comply?

Covered Entities:

The Privacy Rule and the Administrative Simplification rules apply to “Covered Entities” including health plans, health care clearinghouses, and to any health care provider who transmits health information electronically in transactions for which the Secretary of HHS has adopted standards under the Act.  For assistance in determining whether your organization is a “covered entity” consult HHS at:


OCR subsequently issued an updated set of rules identified as 2013-01073 Omnibus Rule Final which can be found at http://federalregister.gov/a/2013-01073.  This update contains 563 pages of material and addresses a variety of topics including privacy, security, data breach, and penalties, among other topics. 


Employers that sponsor health plans:

HIPAA also applies to employer-sponsored health plans, including: medical, dental, prescription drug plans, vision, HFSA, EAP, and HRA. 

However, HIPAA does not apply to HSA plans, life insurance, disability or workers compensation.  In fully insured plans, both the employer health plan and the insurance carrier are covered entities.  Likewise, self-funded employer plans are covered entities including, Section 125 Health FSAs and HRAs.


Business Associates:

Another term to be aware of is “Business Associate”, which refers to a person or organization, other than a member of a covered entity’s workforce that performs certain functions or activities on behalf of a covered entity that involves the use of individually identifiable health information.  Example of such functions or activities include: claims processing, data analysis, utilization review and billing.  Services include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services.  Covered Entities that utilize the services or activities of Business Associates must have written contracts in place that include certain protections to safeguard individually identifiable health information.  For sample language, readers can refer to: http/www.hhs.gov/ocr/hipaa/contractprov.html.  You are also encouraged to see OCR “Business Associate” Guidance.



The HIPAA privacy rule and Protected Health Information

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its Business Associate, regardless of the form in which it is transmitted, including electronic format, paper and orally.  This information is collectively known as Protected Health Information” (PHI). 


Examples of Protected Health Information:

  • Health insurance enrollment applications
  • Enrollment reports
  • Verbal disclosure of someone’s medical information to another employee
  • Reports from insurance carriers containing ID numbers
  • Emails from an employee containing plan payment information

The Security Rules, contained within the Privacy Rules, require covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. 


Specifically, covered entities must:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure compliance by their workforce.

The Security Rules, sections 164.308 through 164.316, contain 22 specific standards with respect to data security that Covered Entities need to follow. 


Protected and unprotected information:

Here are some examples of protected and unprotected information.

  • The Privacy Rule does not protect employment records, even if the information in those records is health related. 
  • In most cases, the Privacy Rule does not apply to actions of an employer.  An employer can ask an employee for a doctor’s note or other health information if they need the information for sick leave, workers’ compensation, wellness programs, or health insurance.
  • However, if your employer asks your health care provider directly for information about you, your provider cannot give your employer the information without your authorization unless other laws require them to do so.
  • Generally, the Privacy Rule applies to the disclosures made by your health care provider, not the questions your employer may ask.
  • If you work for a health plan or a covered health care provider:
    1. The Privacy Rule does not apply to your employment records;
    2. The Rule does protect your medical or health plan records if you are a patient of the provider or a member of the health plan.
  • Protected Health Information does not include: FMLA medical certification; results from employee drug testing, workers’ compensation information, and life insurance applications.



Best Practice for employers and HR professionals

Employers who deal with HIPAA information should consider implementing some form of the following procedures:

  1. Establish written policies and procedures for handling HIPAA information
    1. Policies for accessing, using and disclosing data
    2. Security for electronic and physical protection of data
    3. Policies for handling data breaches
  2. Assign specific individuals to HIPAA related matters
  3. Create, maintain and store administrative documents such as business associate agreements and other documents
  4. Conduct periodic risk assessments and audits
  5. Develop and implement employee training programs with periodic updating.



HIPAA Privacy Violations

As of October 31, 2017, the Office for Civil Rights reports that it received 167,321 HIPAA complaints since April 2003, and it has initiated 857 compliance reviews.  Further, OCR has imposed civil money penalties in 52 cases totaling nearly $73 million in penalties.  To date, OCR has made 656 referrals to the Department of Justice for criminal investigation of possible HIPAA violations relating to knowing disclosures or obtaining PHI in violation of the rules.


The top five categories of compliance issues investigated:

(in order of frequency)

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Use or disclosure of more than the minimum necessary protected health information; and 
  • Lack of administrative safeguards of electronic protected health information.



The differences between civil and criminal penalties are summarized in the following table:

HIPAA Privacy Violations penalties




Employers need to take HIPAA requirements seriously and assign qualified individuals to oversee implementation and compliance.  Even unintentional disclosures of Protected Health Information can lead to enforcement actions against employers.  The OCR website provides a wealth of information to employers who want to learn more about this topic.  If you need assistance with your HIPAA related issues, please contact BOR-Go for a no-obligation consultation.

Written by Paul McFarling - Legal Counsel

Updated on September 12, 2018 23:47