As an Employer, What You Don't Know Can Hurt You
You may have heard about HIPAA. In fact, you may be painfully aware of HIPAA1. Although HIPAA does not apply directly to employers2, it does apply to most employee benefit plans3. HIPAA also applies to a wide range of health care providers and health insurance companies.
Moreover, in the wake of media coverage focusing on data breaches, identify theft, and medical identity theft, consumers and employees have expressed concerns about the privacy and security of their personal information. And, federal and state legislatures and agencies have responded with numerous laws and regulations mandating or recommending greater privacy and security protections as well as increased individual rights with respect to their information.
In a nutshell, safeguarding the privacy and security of personal information – particularly protected health information – is both the law and the right thing to do.
These pages provide general information and are not intended to be legal advice.
1 "HIPAA" refers to the administrative simplification section of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, "HIPAA"), particularly with the Security Standards for the Protection of Electronic Protected Health Information (the "Security Rule") and the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule"). 42 USC 1320 d; 45 CFR § Parts 160 and 164.
2 HIPAA applies directly only to "covered entities," which are: (i) health plans including most employee benefit plans; (ii) health care clearinghouses; (iii) health care providers that transmit electronic HIPAA-covered transactions; and (iv) sponsors of Medicare prescription drug cards.
3 The definition of a covered health plan includes an "employee welfare benefit plan," as defined under the Employee Retirement Income and Security Act of 1974 ("ERISA"), to the extent the plan provides medical care to employees or their dependents directly or through insurance if the plan: (i) has 50 or more participants; or (ii) is administered by an entity other than the employer. 45 CFR § 160.103.
|A Little About HIPAA »|