Employers beware of the broad reach of HIPAA's privacy rule

Questions-and Answers

The intent of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is, in part, to protect certain health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses (protected health information, or PHI).

In December 2000, the Department of Health and Human Services (HHS) issued final regulations, "Standards for Privacy of Individually Identifiable Health Information" (referred to here as the privacy rule), applicable to "covered entities" under HIPAA. These regulations were subsequently modified on May 31, 2002, and finalized on August 14, 2002. Although employers with large group health plans had to comply with the privacy rule by April 2003, employers with small group health plans have until April 2004 to comply. The following questions and answers highlight important aspects of the privacy rule and employer obligations in dealing with employee health information.