Generally, group health plans are subject to the HIPAA portability, privacy and security rules. An on-site clinic that provides treatment of minor injuries or illness is likely not a group health plan. In other words, your partially raided first aid kit is not a group health plan subject to HIPAA. Even if your on-site clinic meets the definition of a group health plan, it is still exempt from HIPAA as a group health plandue to the HIPAA regulations providing an exclusion for on-site medical clinics. However, an on-site clinic may be subject to HIPAA's privacy and security requirements as a covered health care provider.
To be covered under HIPAA as a health care provider, the provider must provide health care services and must conduct “standard transactions” electronically (e.g., billing, payments, coordination of benefits, enrollment and eligibility) or hire a service provider to do so. Providing health care services is very broadly defined and almost all on-site health clinics will meet the definition of health care provider, especially if it hires physicians, nurses, or other health care professionals. Therefore, if your clinic provides any of these services and conducts “standard transactions” electronically it is almost certain to be subject to the HIPAA privacy and security rules. This is true even if the electronic transactions are between your on-site clinic and your self-funded health plan.
Therefore, depending on the services provided by your on-site clinic and the method used for communicating standard transactions, your clinic may be subject to the HIPAA privacy and security rules as a covered health care provider. At a minimum, this means you need a Notice of Privacy Practices, HIPAA policies and procedures and can’t share information from the clinic with the company unless an exception applies.