Do you think of HIPAA as a law that applies only to health care providers? If so, the good news is that you’re not alone. The bad news is that you may have some work to do.

While it is true that HIPAA applies to most health care providers, HIPAA’s applicability is far more widespread. In fact, HIPAA applies to a broad range of companies that may not even be in the traditional health care space. This article focuses on HIPAA’s applicability to two lesser known categories of entities that are subject to HIPAA: group health plans and companies that provide services to covered entities involving the creation, receipt, maintenance or transmission of protected health information. This article also provides guidance on steps to take if your company does in fact have HIPAA obligations. Don't panic, you can do this!

HIPAA's reach is wider than it appears

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations apply to covered entities and business associates. The term “covered entity” is defined to include only the following: health care clearinghouses, most health care providers, and… health plans.

Yes, you read that correctly. As described further below, if you are a company that offers a health plan, your company's health plan is likely subject to HIPAA. This surprising to many employers, particularly if the company has no connection to the health care industry.

Another little surprise is that “business associates” are also directly subject to HIPAA. “Business associates” are companies that perform certain services for covered entities that involve the creation, receipt, maintenance and/or transmission of protected health information (PHI). This includes companies that provide data storage services (e.g., cloud providers), as well as accountants, lawyers, consultants and others who provide services to covered entities involving PHI. The term “protected health information” or “PHI” is broadly defined by HIPAA to mean information created or received by a covered entity that relates to the health of an individual or the payment for the provision of health care to an individual, transmitted or maintained in any form or medium.

Your company’s group health plan is (probably) a HIPAA covered entity

Was your New Year’s resolution to discover that your company’s group health plan is a HIPAA covered entity? If so, you’re in luck! Employee welfare benefit plans (in addition to other health plans) are HIPAA covered entities and are subject to HIPAA, unless the plan is self-administered and has fewer than 50 participants. However, if a company's plan is fully-insured and the only PHI the sponsor receives is enrollment and summary information, the plan may have fewer HIPAA compliance obligations.

Under HIPAA, the group health plan is treated as a separate legal entity from the plan sponsor (e.g., the employer). This is an important distinction to keep in mind and one that is easily confused — the group health plan, not the sponsor, is the HIPAA covered entity. This distinction is important because HIPAA prohibits group health plans from disclosing PHI back to the sponsor, with limited exceptions. One of the exceptions permits group health plans to disclose limited PHI to the sponsor to allow the sponsor to perform plan administrative functions; however, HIPAA’s specific requirements must be followed.

Be on alert if your company provides services to covered entities requiring access to PHI

Many companies function as a business associate under HIPAA without realizing it. Does your company provide services — directly or indirectly — to a covered entity that involves the creation, receipt, maintenance or transmission of PHI? If the answer to this question is yes, your company is likely a business associate and directly subject to HIPAA.

Even if a company is not providing services directly to a covered entity, it may still be providing services to a covered entity indirectly as a subcontractor to a business associate of a covered entity. For example, a covered entity may hire a business associate to provide data storage for its PHI. That business associate may in turn hire a subcontractor to maintain some of the covered entity's data. If that data includes PHI, the subcontractor is also considered a business associate under HIPAA. This is true even though the company has not directly contracted with the covered entity to provide the services.

I think we are subject to HIPAA. Now what do we do?

If your company’s group health plan is subject to HIPAA and/or your company functions as a business associate, there are certain steps you will need to take to comply with HIPAA. For example, health plans and business associates must:

  • Develop HIPAA privacy and security policies and procedures, and provide proper training on those policies and procedures
  • Perform a security risk assessment to determine risks and vulnerabilities to the electronic PHI held by the entity 
  • Appoint a privacy and security officer to oversee HIPAA compliance
  • Enter into HIPAA-compliant business associate agreements in relation to any applicable business associate services

In addition, group health plans must amend their plan documents to address HIPAA's requirements and must provide a Notice of Privacy Practices to individuals at the time of enrollment in the plan and notify individuals of the availability of the Notice and how to obtain it every three years.

If the Office for Civil Rights (OCR) determines that the group health plan or business associate is not in compliance with HIPAA, it may impose an appropriate civil monetary penalty or pursue criminal penalties. The civil monetary penalties are tiered based on intent and generally range from $100 to $1,500,000. The OCR also works in conjunction with the Department of Justice to refer possible criminal violations of HIPAA. Given the high stakes of noncompliance, it is critical to understand the scope of your HIPAA obligations and take steps toward ensuring compliance.

Originally published in InsideCounsel, January 15, 2015