The HIPAA Privacy Rule does not directly state whether all employers who come into contact with PHI must comply with the rule. The answer to the question of how HIPAA law and employers regulations intersect, can be determined by keeping in mind the purpose behind the rule.

HIPAA Law and Employers: The HIPAA Privacy Rule

As noted by the Department of Health and Human Services (HHS), the HIPAA Privacy Rule was created to accomplish two goals: to assure that individuals’ health information is properly protected, while allowing for the flow of health information needed to provide and promote high quality healthcare and protect the public’s health and well being. The Privacy Rule was designed to strike a balance that permits important uses of information, while protecting the privacy of people who seek care and healing.

To ensure that health information is protected from improper use and disclosure, the HIPAA Privacy Rule covers those entities that deal with healthcare information in the regular course of their business. The Privacy Rule labels these entities who deal with healthcare information as a matter of course, as “covered entities.”

Covered entities may include health plans, healthcare clearinghouses, and healthcare providers. These entities, to qualify as covered entities (and therefore be subject to the Privacy Rule) must do something with respect to certain health information.

The health information with respect to which covered entities must do something, is called protected health information, or PHI. PHI is any piece of information in an individual’s medical record that was created, used, or disclosed during the course of diagnosis or treatment that can be used to personally identify the patient. This includes a wide variety of identifiers and different information recorded throughout the course of routine treatment and billing.

There are 18 types of information that qualify as PHI. Examples include (among others) telephone numbers, fax numbers, medical record numbers, and Social Security numbers.

As noted above, an entity must DO something with respect to PHI to qualify as a covered entity. What must the entity do? The entity must be involved in the transmission of protected health information (PHI). This transmission must take place for the purpose of payment, treatment, operations, billing, or insurance coverage. That is, for PHI to be subject to the protections of HIPAA, the PHI must be transmitted to communicate information about an individual’s past, present, or future medical condition, the provision of healthcare to an individual, or the payment for the provision of healthcare.

Covered entities typically contract with other entities, known as business associates, that perform functions or activities on behalf of, or provide certain services to, the covered entity. The functions, activities, and services involve access by the business associate to protected health information. Examples of business associates include:

• Data transmission providers
• Data processing firms
• Data storage or data shredding firms 
• Medical equipment companies
• Audit consultants 
• Electronic health information exchanges
• Medical transcription services
• External auditors or accountants

Because business associates, by contract, access protected health information on behalf of entities who deal with health information as a matter of course, business associates are also subject to the HIPAA Privacy Rule. Recall a main purpose of the HIPAA Privacy Rule: to ensure that PHI is protected from improper use and disclosure. Requiring business associates to comply with the Privacy Rule’s restrictions on how PHI can be used or disclosed, directly furthers this rule.

So, What About HIPAA Law and Employers?

Since protected health information is only covered by HIPAA when it is used to communicate information about an individual’s past, present, or future medical condition, the provision of healthcare to an individual, or the payment for the provision of healthcare, employers and their employees are often not subject to the Privacy Rule, even if they come into contact with PHI.  

Take the example of a construction company worker who supplies personal information to his or her employer’s HR Department when the worker begins his or her job. Some of this information – such as the employee’s telephone number and Social Security number – is PHI. However, IF the HR Department never uses the PHI to communicate information about an individual’s past, present, or future medical condition, the provision of healthcare to an individual, or the payment for the provision of healthcare, the PHI – and therefore the employer – are not subject to the Privacy Rule.  There has been no transmission of or communication with respect to the PHI; therefore, the employer is not a covered entity.