HIPAA establishes privacy and security standards for covered entities that handle protected health information (PHI) for certain purposes related to the provision of healthcare.  While employers may handle some health data in their human resources capacities, HIPAA does not directly regulate most employers that are not otherwise covered entities.  However, in some cases, the portion of the employer’s workforce that administers employer-sponsored group health plans may be subject to HIPAA if the employer: (1) sponsors group health plans for 50 or more participants; or (2) outsources administration of sponsored health plans to a third party that establishes or maintains the plan.  In these scenarios, the group health plan is considered to be a separate legal entity from the employer or group health plan sponsor.  The employer itself is not considered a covered entity.¹

To help clarify the sometimes overlapping relationship between an employer-sponsored group health plan and the employer or plan sponsor, HIPAA includes the following provisions:

• Limits on Disclosure.  A group health plan may share PHI with the employer or plan sponsor when the information is necessary for the plan sponsor to perform certain administrative functions, such as obtaining bids for health insurance coverage under the group health plan, or modifying or terminating the plan.²
• Certification of Limitations. The group health plan may only disclose PHI to the employer or plan sponsor upon certification from the employer-sponsor that it will, among other obligations:  (1) use the PHI only as permitted by the plan or as required by law; (2) ensure that any third-party service providers abide by the same restrictions; and (3) refrain from using the PHI for any employment-related actions or decisions.³
• Adequate Separation.  The plan must provide for adequate separation between the group health plan and employer-sponsor.  The plan should (1) describe which employees or other designated persons may be given access to the PHI; (2) restrict access to and use of the PHI by such employees and other designated persons; and (3) provide an effective mechanism for resolving any issues of noncompliance.⁴

¹ 45 CFR § 160.103.

² Id. § 164.504(f)(1).

³ Id. § 164.504(f)(2).

⁴ Id. § 164.504(f)(2)(iii).