of Employee Health
Reg u lat ions
By Kirk J. Nahra, JD
PERSONAL HEALTHCARE INFORMATION is inherently sensitive, and individuals are justified in worrying that the breach
of such information could result in an impact on their career,
personal embarrassment, insurance risks, and a variety of other
adverse consequences. Identity thieves, as a result, find healthcare information to be incredibly valuable.
As employers become more involved in the overall management of employee wellness and healthcare expenditures, there
is a strong interest in effective management and utilization of
this employee data for a growing range of employer interests.
Employers and other entities are becoming more involved in Big
Data initiatives, offering new opportunities to gather information that will promote more effective and efficient workplaces.
However, employers need to consider carefully their approach
to employee healthcare information and act intelligently.
For employers, this concern about healthcare information
comes with enormous legal, compliance, and related risks and
a range of challenges. This article will outline some of the key
issues for employers related to employee healthcare information, and will outline some of the key steps to consider in developing an appropriate compliance and regulatory approach
for this information.
The Start of the Problem: HIPAA and Employers
Much of the challenge for employers when dealing with em-
ployee healthcare information stems from the HIPAA Privacy
Rule. When this rule was being written, one of the government’s
primary concerns in structuring the rule was its recognition that
employers provide much of the health insurance in this country.
With this background, the goal of the US Department of Health
and Human Services (HHS) with employers is quite clear—to
ensure, as much as possible, that personal health information
is not used by employers for employment-related decisions or
used against an employee in connection with their employment.
However, because of the tortured history of the HIPAA statute, which was driven by health insurance portability and
“standard transactions” rather than privacy, HHS had no
authority to regulate employers directly. If it had been given
such authority, the law could have included a provision that
said “no employee health information can be used for employment-related purposes.” However, this is not the case.
While HHS could not regulate employers directly, HHS did
have authority to regulate group health plans, which are the
employee welfare benefit plans that provide actual healthcare
benefits to employees and define the scope of these benefits.
These group health plans are “covered entities” under the
HIPAA Privacy Rule, meaning that for the most part they must
comply with the HIPAA Privacy Rule to the same extent that a
typical health insurer or large hospital must.
Under the HIPAA Privacy Rule as written, employers must
place stringent conditions on the flow of employee health information from the group health plan, which is the formal en-