On those unfortunate occasions where you have to go to the doctor’s office (especially at this time of year with cold and flu germs swirling around like a Nor’easter), you have the confidence of knowing that your privacy is protected with the HIPAA Privacy Rule.
But did you know that HIPAA regulations extend past those in the medical profession?
“Business associates” are also bound by HIPAA privacy rules and are companies that perform certain services for covered entities that involve the creation, receipt, maintenance and/or transmission of protected health information (PHI). This may involve companies that provide data storage services (such as cloud providers), as well as accountants, lawyers, consultants and anyone else who provides services to entities involving “protected health information” (or PHI). PHI is broadly defined by HIPAA as information created or received by a covered entity that relates to the health of an individual or the payment for the provision of health care to an individual, transmitted or maintained in any form or medium.
Maybe you don’t provide any of the above services, but you do offer a health care plan to your employees. According to lawyers Kerry Moskol and Jennifer Hennessy, “Employee welfare benefit plans (in addition to other health plans) are HIPAA covered entities and are subject to HIPAA, unless the plan is self-administered and has fewer than 50 participants. However, if a company’s plan is fully-insured and the only PHI the sponsor receives is enrollment and summary information, the plan may have fewer HIPAA compliance obligations.”
In addition, a group health plan is treated as a separate legal entity from the plan sponsor (the employer) under HIPAA. “This distinction is important because HIPAA prohibits group health plans from disclosing PHI back to the sponsor, with limited exceptions,” explains Moskol and Hennessy. “One of the exceptions permits group health plans to disclose limited PHI to the sponsor to allow the sponsor to perform plan administrative functions; however, HIPAA’s specific requirements must be followed.”
If you are unsure where your business lies within HIPAA requirements, you can contact a business lawyer. Consider that HIPAA violations may result in penalties of $100 to $50,000 per violation, depending on the conduct at issue. Do you really want to take that chance?