As published in the May 29, 2000 issue in iHealthcare Weekly.
Although existing laws related to the confidentiality of medical information do affect employers in many instances, such laws do not really take into account the notion of healthcare information being transmitted electronically, for example through the Internet or an intranet. The privacy and security rules introduced pursuant to the Health Insurance Portability and Accountability Act (HIPAA), and scheduled to be finalized this year, are intended to fill this gap. Right now it is somewhat unclear to what extent employers will be directly affected by these rules, and the issue is currently being debated in Washington. The Privacy Rule, as it is now written, states that employers are not directly regulated by the rule.
However, a closer reading seems to lead to a different result: Employers, though not "directly regulated" by the privacy rule, will most likely have to comply with the rule depending on the type of health plan they offer their employees, and their role with respect to that health plan. As the rules are written now, it appears that employers who create, transmit, or receive individually identifiable healthcare information, called "protected health information" in the privacy rule, could be significantly affected and will likely have to comply with both the privacy and security rules.
Specifically, the privacy rule provides that employers functioning in the role of a health plan or healthcare provider will have to comply with the rule. A "health plan" is defined in the privacy rule to include all ERISA plans with more than 50 employees and all ERISA (Employee Retirement Income Security Act) plans administered by someone other than the employer, whether insured or self-insured.
Therefore, the category of ERISA plans that is not covered by the rule includes those plans that are small and self-administered. The preamble to the rule, discussing the treatment of entities that are not primarily engaged in healthcare but have a healthcare component, is relevant to employers, in that the healthcare component would be considered the "covered entity" subject to the privacy rule. Further, "any movement of information into another component of the organization would be a 'disclosure,' and would be lawful only if such disclosure would be authorized by this regulation."
The Georgetown Privacy Project, in its comments on the Privacy Rule, attempted to clarify how this would work in the context of employers operating ERISA plans by describing the following scenario:
This reading of the rule means that ostensibly the great majority of employers will be required to bring their operations into compliance with the privacy rule to the extent that they are considered to be a "health plan."
Similarly, an employer could be considered a "business partner" under the privacy rule and would have to enter into and comply with a contract with a "covered entity," if the assisting in the processing of a claim might be considered a "business partner," although this is not made clear in the rule.
The security rule applies to the same entities that the privacy rule does, and the entities, such as a "health plan," are defined in the same way. The requirements of the security rule, then, would result in employers having to conform their computer systems in order to comply with the security rule's goal of requiring entities covered by the rule to establish administrative, physical, and technical safeguards for health information being stored or transmitted electronically.
Since the security and privacy rules are scheduled to become final in the next few months, it is vitally important for employers to begin assessing their role under HIPAA and to prepare for what could be very significant changes to come.
© 1999 - Moses & Singer LLP all rights reserved.