The HIPAA Privacy Regulations:(Part II of II)
The HIPAA Privacy Regulations
(Part II of II)
Oregon Lodging Association’s "Lodging News"
March 2003
In Part I of this article, which appeared in the January/February 2003 edition of Lodging News, we introduced you to the new privacy regulations enacted by the federal government under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Our primary goal with that article was to provide you with some background about these new regulations and how they might impact, directly or indirectly, both your business and you as an individual. It was also our intent that you take some preventative steps to determine, in consultation with your legal counsel or health care benefits advisor, what steps, if any that you might need to take to best protect your business and to minimize any risks associated, either directly or indirectly, with the HIPAA privacy regulations.
There are different interpretations that you will receive regarding how these new regulations will affect you, both from those not trained in legal analysis and interpretation, as well as legal counsel. We have deliberately taken a conservative approach in our interpretation of HIPAA and these new regulations due to our substantial experience in representing employers in claims made by disgruntled employees and in situations, employment-related and otherwise, where business and personal assets are put at risk by governmental agencies due to alleged failures to follow applicable local, state or federal regulatory schemes. After all, it would not be the first time that complex federal statutes and regulations have been adapted for use by government, as well as disgruntled employees, in ways that would appear to have not been contemplated when the law or regulation was first enacted. While some may choose to take a narrow approach when considering HIPAA, why take the risk?
The good news is that nearly all Oregon Lodging Association members who may be "covered entities" will not be required to come into compliance with the new regulations until April, 2004, because they will meet the definition of a "small health plan" in the regulations. A "small health plan" is defined as "a health plan with annual receipts of $5 million or less." Unfortunately, the HIPAA regulations do not specifically define the term "annual receipts," but it would appear that "annual receipts" is very roughly equivalent to "total income" or "gross income," subject to various offsets and qualifications. In the context of a "health plan," it is likely that "annual receipts" are roughly equivalent to annual premiums paid by participants which should exclude all but the very largest health plans.
The better news is that many members may not even meet the definition of a "covered entity" and thus will be able to avoid many of the requirements of the new regulations. Recall that under the regulations, a "covered entity" is defined, among other things, as a "health plan." A "health plan" includes a "group health plan," as defined under the HIPAA regulations, and an "employee welfare benefit plan," as defined by the Employee Retirement Income and Security Act of 1974 ("ERISA"). A "group health plan" is defined as an "employee welfare benefit plan … that has 50 or more participants … or is administered by an entity other than the employer that established and maintains the plan." An "employee welfare benefit plan" is defined under ERISA as "any plan, fund, or program which was heretofore or is hereafter established or maintained by an employer or by an employee organization, or by both, to the extent that such plan, fund, or program was established or is maintained for the purpose of providing for its participants or their beneficiaries, through the purchase if insurance or otherwise … medical, surgical, or hospital care or benefits, or benefits in the event of sickness, accident, disability, [or] death ……" The inclusion of an "employee welfare benefit plan" in the definition of a "health plan" appears to be qualified by including only an "employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers."
While this article is certainly not the appropriate forum in which to discuss the vagaries of statutory construction, suffice it to say that the absence of punctuation in this particular provision could lead to varying interpretations in the future. The more likely interpretation, for the moment, is that only those "employee welfare benefit plans …providing health benefits to the employees of two or more employers…" will be "covered entities" under this definition.
As is exemplified by lengthy definition of a "health plan" just cited, as well as the multiple sources that must be reviewed to determine the appropriate definition of an apparently straightforward term like "annual receipts," the HIPAA regulations are truly complex. While it is certainly very likely that these regulations will not impose a heavy burden on your business practices and require you to prepare such things as "business associate" contracts, accounting disclosures, privacy practices notices, and other HIPAA-required documents and procedures, we would encourage you not to wait until March, 2004, to find out what steps, if any, that you need to take comply with HIPAA. This is because many of the HIPAA privacy requirements are simply good business and employment practices. If it turns out that your business is then determined to be a "covered entity," you will also have given yourself a fair amount of time to assure compliance with the HIPAA regulations and to avoid any penalties that may arise from failure to comply.
Whether HIPAA applies to you or not, an important "step" that a business can take to minimize not only any risks associated with the HIPAA privacy regulations, but all employee privacy concerns, is to establish strong privacy policies for "protected health information," as well as other employee information. As alluded to in Part I of this article, your business interests in this regard go beyond the HIPAA privacy regulations and extend into simple and prudent employment practices that may reduce your exposure to employee claims of privacy violations.
You will recall from Part I that "employment records held by a covered entity in its role as employer" are exempted from the definition of "protected health information." Part I erroneously indicated that certain health information obtained by an employer related to an employee’s claim under the federal and Oregon Family and Medical Leave Acts, the Americans with Disabilities Act, the federal and state versions of the Occupational Safety and Health Acts, and others, would likely not be considered "employment records" for purposes of HIPAA. While such information does not appear to have been clearly addressed under the HIPAA privacy regulations, it is quite reasonable to infer that such information would be "employment records" which are excluded from the definition of "protected health information" under the HIPAA regulations. However, by its definition, "employment records" do not include information that an employer may obtain or "hold" outside of the employment relationship. Therefore, if you are a "covered entity," and you are an employer, but you obtain "protected health information" by means other than as an employer, then this information would technically be subject to the HIPAA privacy regulations.
The problem with talking to health care providers or insurance agents about the privacy of an employee’s medical records or information is that more than compliance with HIPAA should be considered. The bigger picture is that you should never disclose any information you have received on an employee whether it was obtained "outside" of the employment relationship, or otherwise, without carefully reviewing the same with legal counsel. It is very important that any person that regularly comes into contact with so-called "protected health information," or any other employment-related information that an employee may prefer be kept confidential, follow policies established by the employer to protect that information from unauthorized disclosure. When a representative of an employer shares this type of information with a fellow employee for purposes unrelated the employment relationship or business necessity, it is our opinion that the employer could still be considered to "hold" that information but it will not be information "held by a covered entity in its role as employer."
Now, it is very likely, and anticipated, that the federal government may not have the time nor the inclination to penalize an employer for violation of HIPAA under the above-referenced scenario. One would hope that the government has more important matters to address. However, this is where the idea of a new privacy standard comes into play. Recall that in Part I, we discussed the belief by some legal commentators that the HIPAA privacy regulations could be asserted by employees, patients, and others, as a new standard for the protection of private health-related information. This means that a creative lawyer could try to argue that although an employer may not be required to follow the HIPAA privacy standards, any harm resulting from the failure to meet such standards could be asserted as constituting negligence by the employer or other entity charged with having a duty to protect such information from unauthorized disclosure. Admittedly, this concept is difficult to articulate and it may be many years before such a theory could gain the approval of a court. But, again, it underscores the need for employers to act prudently and not be too "loose" with employees’ private information, whether it be health information or otherwise. Therefore, establishing sound privacy policies for your business certainly would not do you any harm. To the extent that these policies are in at least partial compliance with the standards set forth under the HIPAA privacy regulations, all the better.
Finally, it was brought to our attention that at least portions of Part I may have been inaccurate, or at least unnecessarily presented cause for alarm among association members. For this we sincerely apologize and have attempted to clarify and correct these issues in Part II. The employment practices of individual small employers are likely not among the "evils" that the HIPAA privacy regulations seek to counter. To that extent, nearly all Oregon Lodging Association members can rest assured that federal "HIPAA" agents likely won’t be knocking on their door any time soon to inquire about their privacy policies. On the other hand, it has always been our practice to err on the side of caution in protecting our clients’ interests, particularly when it comes to the application of complex new governmental regulations which have never been tested in the courts. Therefore, just as with employment policies related to discrimination, harassment, termination, wage and hour and others, prudence and caution dictate the establishment of a good privacy policy to minimize your legal exposure to privacy-related employment claims.