October 7, 2002

How Will HIPAA Impact Employers?

Holland & Knight Newsletter
Shannon Britton Hartsfield

Employers and Health Information


Numerous state and federal laws, including the ADA, the FMLA, and federal and state drug testing and workers’ compensation laws, require employers to obtain and safeguard health information regarding their employees. These laws generally restrict dissemination of employee health information and limit the ways employers can use such information to make employment decisions. Now, new federal regulations implementing The Health Insurance Portability and Accountability Act of 1996 (HIPAA) impose additional stringent requirements on all employers who sponsor employee health plans. As the deadline for compliance is fast approaching (October 2002 in some cases) and penalties for non-compliance are substantial, employers must move quickly to understand and comply with these new requirements.

The following summary will focus on how HIPAA’s Privacy Rules and Transaction and Code Sets Rules will affect employer-sponsored health plans.

The Privacy Rules


The HIPAA Privacy Rules prohibit covered entities from using or disclosing individually identifiable, protected health information (PHI) unless either the covered entities have obtained the appropriate form of permission from that patient or the use or disclosure is expressly allowed by HIPAA. They also impose a host of potentially burdensome and expensive administrative policies and procedures and reporting and disclosure requirements that often go far beyond state laws while, unlike ERISA, permitting any more stringent state laws to continue in effect.

Although employers are generally not considered “covered entities” under HIPAA, they do qualify if they sponsor health care components, such as self-insured health plans, wellness programs, on-site clinics, or employee assistance programs. In general, the HIPAA Privacy Rules will affect the use and disclosure of PHI by the health care component of the employer and the corresponding workforce, and will require the imposition of “firewalls” to keep health-related functions separate from general, employment-related functions and personnel.

What Employer-sponsored Health Plans Must Do

The final rules will require the self-insured health plan component of the employer (i.e., the employer in its role as plan sponsor) to:

• amend its health plan documents, such as ERISA-mandated summary plan descriptions, to include more than a dozen specific privacy provisions if the employer in its role as a health plan sponsor receives health information beyond that needed to enroll and disenroll participants
• negotiate or revise written contracts with third-party administrators, insurers, HMOs, case managers, disease managers, utilization review and other managed care vendors and other “business associates” to incorporate more than a dozen specific privacy provisions. Although the compliance deadline is April 14, 2003, most employers may continue to operate under existing written contracts for up to one year after that date if such contracts were effective prior to October 15, 2002, and are not modified or renewed before April 14, 2003.)
• appoint, and in some cases hire, a privacy official who will be responsible for, among other things, training employees involved in plan administration in handling PHI, and ensuring that adequate privacy practices and procedures are implemented
• protect participants’ rights to inspect and copy their PHI, amend their records, and receive an accounting of all disclosures of their PHI by the plan
• implement a process to resolve participants’ complaints and grievances with respect to their PHI
• obtain a detailed authorization from any participant whose PHI is to be used for any purpose other than “payment, treatment, and health care operations”
• separate health plan administration (where PHI may be used or disclosed) from other general corporate functions and even from the administration of other ERISA benefit plans


The rules require compliance before April 14, 2003, for health plans generally, and a year later for small health plans with annual receipts of $5 million or less. Moreover, the regulations apply to all medical records and other PHI maintained or disclosed by the employer’s health plan, whether electronic, written or oral.

Standard Transaction and Code Sets

The new HIPAA regulations also mandate specific procedures and formats that must be followed when transmitting certain health information electronically. These procedures are referred to as Standard Transaction and Code Sets.

Who Is Covered?

Again, employer-sponsored health care components, such as health plans, are subject to the Standard Transaction and Code Sets rules. The regulation defines a “health plan” as an individual or group health plan that provides or pays for the cost of medical care, including all private-sector health plans, multi-employer plans, and government health plans. Some examples of employer-sponsored health plans include clinics, health insurance, HMO membership, vision care, dental care, prescription drug coverage (but not prescription discount programs), medical flexible spending accounts, and cafeteria plans that include medical care options.

What Is Required?

The standards require all electronic transactions of the following kinds of health information to follow a specified, standard format:

• health claims or equivalent encounter information
• enrollment and disenrollment in a health plan
• eligibility for a health plan
• health care payment and remittance advice
• health plan premium payments
• first report of injury
• health claims status
• referral certification and authorization

These standard formats are required whether the electronic transaction occurs with another entity, internally, or upon request of another entity. The standards do not apply, however, if an employer chooses to conduct the listed transactions on paper, as employers are allowed to do.


The compliance date for the Transactions and Code Sets Rule has been extended until October 16, 2003. However, to qualify for the deadline extension, a covered entity must submit a compliance plan to the Secretary of HHS by October 16, 2002. The compliance plan must show the compliance budget, a work plan, and an implementation strategy. The Centers for Medicare and Medicaid Services Web site (http://CMS.hhs.gov) has a model Transactions and Code Sets Compliance form and information explaining who should file, when to file, and how to file.


In sum, the compliance dates for both the Privacy Rules and the Transaction and Code Sets rules are quickly approaching. To emphasize the importance of compliance, one should note that the HIPAA provisions carry significant penalties. For example, civil penalties range up to $100 per person, per violation, up to $25,000 per year. Criminal penalties may apply as well – up to $50,000 in fines and a year in prison for knowingly disclosing PHI; up to $100,000 in fines and five years in prison if the disclosure is under false pretenses; and up to $250,000 in fines and 10 years in prison if the disclosure is for commercial advantage. The listed requirements demonstrate that compliance efforts need to be focused on revising the covered entity’s policies and procedures, implementing training and education, and updating the plan documents, contracts, and other administrative forms. Employers with self-funded health plans will have to adapt quickly to this new regulatory scheme.

Related Insights