skip to main content


HIPAA Alert for Employers

February 2003

If you are an employer that sponsors an employee health benefit plan, you should be taking steps now to comply with the Privacy Regulations under the federal Health Insurance Portability and Accountability Act ("HIPAA"). The compliance deadline is April 14, 2003 or, in the case of health plans with annual claims expenses or premium payments of less than $5 million ("small health plans"), April 14, 2004.

The Privacy Regulations are part of the federal government’s efforts to simplify the electronic transmission of medical claims and protect the privacy of individually identifiable health information. The Regulations prohibit the use or disclosure of individually identifiable health information, known as "protected health information" ("PHI"), except for certain permitted purposes, unless the individual has authorized the specific use or disclosure in writing. Individually identifiable health information received by an employer outside of its health benefit plan and used to carry out employment-related functions, such as information from return-to–work physicals, drug testing, FMLA determinations, determinations of job fitness or evaluation of eligibility for other benefit programs, is not considered PHI and is not subject to the Privacy Regulations.

HIPAA does not directly regulate employers, but it does regulate health benefit plans, including group health and dental plans, vision plans, health care flexible spending accounts and health reimbursement accounts. Only plans with 50 or fewer participants that are administered directly by the employer, rather than a third party administrator ("TPA"), are exempt from the Privacy Regulations. HIPAA does not regulate workers compensation programs, on-site medical clinics, disability programs or stop-loss arrangements. Employers should evaluate each of the benefit plans they offer to determine whether they are subject to HIPAA, and to consider the compliance measures that will be required for each plan.

An employer who sponsors a fully insured health plan avoids most of the requirements of the Privacy Regulations if it elects to receive from the plan only summary health information1 in order to obtain bids from carriers or to modify, amend or terminate the plan. In contrast, an employer who sponsors a self-insured health plan or an employer with a fully insured plan who needs more than summary health information to administer its plan is required to (i) amend the plan documents and certify in writing that it will comply with the privacy provisions of the plan, (ii) furnish a privacy notice to plan participants, (iii) comply with the administrative standards of the Regulations, and (iv) if the plan is administered by a TPA or receives services from other service providers who require access to PHI, enter into a written contract with the TPA and each other service provider containing the "business associate" provisions required by the Regulations.

The following is a brief summary of the major privacy compliance requirements for employers:

Plan Amendments. If an employer wants to receive more than summary health information from the plan, the Regulations require that the plan documents be amended to describe the permitted uses and disclosures of PHI by the employer and provide for adequate separation between the plan and the employer by identifying the employees or classes of employees who will have access to PHI, restricting access solely to those employees, limiting the use of PHI by the employer to the functions it performs for the plan, and providing a mechanism for resolving noncompliance issues. The plan amendment must also, among other things, restrict the use and further disclosure of PHI by the employer to those uses and disclosures permitted or required by the plan or required by law, prohibit the use or disclosure of PHI by the employer for employment-related actions or in connection with any of its other benefit plans, require the employer to allow access to or amend the PHI of a plan participant in accordance with the privacy rules at the request of the participant, and require the employer to provide an accounting of its disclosures of PHI to a plan participant who requests an accounting. Before the plan may disclose PHI to the employer, the employer must provide a written certification that it will comply with the privacy requirements of the plan.

Privacy Notices. A privacy notice meeting the requirements of the Regulations must be given to all plan participants by the compliance deadline, upon enrollment and every three years thereafter. The privacy notice must describe the uses and disclosures of PHI that may be made by the plan, the rights of plan participants and the plan’s privacy policies. An employer who sponsors a fully insured plan and receives no more than summary health information need not provide a privacy notice separate from the one that the insurance company or HMO is required to provide. If an employer who sponsors a fully insured plan receives more than summary health information, the privacy notice need only be made available by the employer upon request of a plan participant. On the other hand, a self-insured plan must provide a privacy notice to plan participants upon enrollment regardless of whether the employer receives any PHI from the plan.

Administrative Standards. A self-insured plan and a fully insured plan that discloses more than summary health information to the employer are required to meet certain administrative standards, including designating a privacy officer and a privacy contact person and developing and implementing policies and procedures governing the use and disclosure of PHI, the handling of privacy complaints and the mitigation of the effect of improper disclosures.

Business Associate Contracts. The Regulations require a self-insured plan and a fully insured plan sponsored by an employer who wants to receive more than summary health information from the plan to enter into a "business associate agreement" with each service provider who requires access to PHI, such as a TPA or independent claims auditor. Plans subject to the April 14, 2003 compliance date may have some extra time to meet this component of HIPAA. If the plan’s contract with a TPA or other service provider was entered into before October 15, 2002 and is not otherwise renewed or modified before April 14, 2003, then the plan can wait until the next modification or renewal of the contract to build in "business associate" provisions, as long as such provisions are in place no later than April 14, 2004.

The Privacy Regulations provide for substantial penalties for non-compliance. The civil penalty is up to $100 per person per violation, with a maximum of $25,000 per person for violations of a single rule in one calendar year. There are also stiff criminal penalties for knowing misuse of PHI, and other penalties for the sale of PHI or use of PHI under false pretenses.

This alert is designed to describe only in general terms the requirements that HIPAA imposes on employers that sponsor health benefit plans. For further guidance, please call Vaughan Finn (860-251-5505 at Shipman & Goodwin LLP.


The content of this article does not constitute legal advice, since legal advice is dependent upon the facts and circumstances of particular cases. If you have a question about how this article may apply to you or your organization, please contact one of the attorneys in our Labor and Employment Department.


1Summary health information is information about claims history, claims expenses, and the types of claims experienced that is in a general format and is not identifiable to any specific individual. Enrollment information may be received by an employer without triggering privacy compliance obligations.

© Shipman & Goodwin LLP, 2019. All Rights Reserved.