Not a Member?  Become One Today!

Medical Privacy: HIPAA: Covered Employer: Does my status as an employer make me a “covered entity” for the purposes of HIPAA privacy?

Copyright Image Permissions

Covered entities, as defined by the regulation, consist of health care providers that handle various business transactions, health care clearinghouses such as health care management organizations and health plans. Employer-sponsored group health plans are generally included in the latter category.

The Employment Retirement Income Security Act (ERISA) views insured and self-insured group health plans as “employee welfare benefit plans.” Assuming the plan provides medical care, it would be considered a covered entity. If the plan is self-administered and has fewer than 50 participants, it is not considered a covered entity.

An employer is not defined as a covered entity based solely on being an employer. An employer must sponsor an ERISA health plan, and the entity administering the employee health plan is the “covered entity.” Flexible spending plans, vision plans, dental plans and cafeteria plans may be considered covered entities if they pay for medical care and satisfy the ERISA definition of an employee welfare benefit plan.

Some employers are exempt from the covered entity designation: Employers that do not receive or create protected health information (PHI), and employers that offer group health plans using HMOs or insurance company products exclusively.

The HIPAA privacy rule requires covered entities to carefully handle employee PHI. This information includes medical records and all “individually identifiable health information” received, maintained, and released by a covered entity.

Medical information maintained by employers is not always considered PHI. This depends upon whether the information is maintained under the role of employer or the role of a group health plan (a covered entity). For example, when an employee submits a doctor’s note to document the use of sick leave, that information is used to satisfy an employer policy related to attendance. The note becomes part of the employer personnel file and will not be considered PHI because it has no association with the employer’s group health plan (the covered entity). Although this information will not be considered PHI, additional employee privacy and personnel record laws and regulations may still protect it.

The HIPAA privacy rule allows covered entities to release PHI externally and to use the information internally only under limited circumstances. Employee permission is needed when the use of PHI falls outside of the circumstances permitted by the privacy rule.

Covered entities handling PHI must be sure to have appropriate safeguards in place to protect the information. This will include technical safeguards such as computer security systems, physical safeguards that could include locking file cabinets and administrative safeguards such as appropriate file access policies.


 SHRM HR Knowledge Center

As a professional member of SHRM, you can receive free, exclusive access to the HR Knowledge Center. Our advisors have many years of HR experience and a wide variety of resources to assist you with your HR questions. You may reach the Knowledge Center at (800) 283-7476, Option #5 or by using the HR Knowledge Center Request Form.

Express Requests

The HR Knowledge Center has gathered resources on current topics in HR management. Click here to view and request information.

Copyright Image Permissions


Swipe for more!