Subscribe (Free) to
Daily or Weekly Newsletters
Post a Job

Featured Jobs

Compliance Consultant (TPA)

Retirement Plan Consultants
(Remote / Norfolk NE)

Retirement Plan Consultants logo

Retirement Plan Administrator

Bates & Company, Inc.
(Remote / Winter Park FL)

Bates & Company, Inc. logo

Transition Specialist

DIETRICH
(Remote / Plymouth Meeting PA / Hybrid)

DIETRICH logo

Defined Benefit Consultant

FuturePlan, by Ascensus
(Remote)

FuturePlan, by Ascensus logo

TPA Retirement Plan Administrator

Cetera Retirement Plan Specialists
(Carlisle IA / Des Moines IA / Dallas TX / Dallas TX / Hybrid)

Cetera Retirement Plan Specialists logo

Client Success Specialist (TPA Expert for AI Software)

Stax.ai
(Scottsdale AZ)

Stax.ai logo

View More Employee Benefits Jobs

Free Newsletters

“BenefitsLink continues to be the most valuable resource we have at the firm.”

-- An attorney subscriber

Mobile app icon
LinkedIn icon     Twitter icon     Facebook icon

Guest Article

(From the Employer's Guide to HIPAA Privacy Requirements, Thompson Publishing Group)

Employers Should Consider Whether Summary Information Will Suffice


Summary: Employers that sponsor health plans should rethink their use of employee health information, and even consider restructuring their organizations, to minimize the impact of HIPAA's privacy rules, two health care attorneys suggested at a recent conference. Otherwise, improper use or disclosure of this information could result in exposure to employee lawsuits, even though the rules themselves do not create a private right to sue.

When implementing HIPAA's privacy rules, health plan sponsors should consider whether they need individually identifiable health information or can accomplish their plan functions by using summary health information, according to attorneys who spoke at a recent conference.

"If they receive summary health information for bid purposes and plan settlor functions, they can do that without jumping through the [HIPAA] hoops" for group health plans, according to Mark Lutes, an attorney with Epstein, Becker & Green in Washington. "Fully insured" plan sponsors that use only summary information also can avoid the organizational requirements of HIPAA's privacy regulations, but self-funded plan sponsors may not be satisfied with summary information because of their financial stake in the plan, he said.

Even if an employer does insist on access to individually identifiable health information, and makes the disclosures required by HIPAA, the use of this protected health information (PHI) must be limited to plan administration, even if company officials are interested in this information for other purposes, noted Frank Morris, also with Epstein, Becker & Green.

For example, a manufacturer that is deciding which of two plants to close may be interested in assessing the costs of employee health benefits at each facility. Summary health information may not be adequate for these purposes, Morris said. However, using PHI to make this decision would not only violate the privacy rules but also potentially expose the company to lawsuits alleging age or disability discrimination, he said.

In addition, HIPAA requires self-administering plan sponsors to amend their plan documents to restrict the use of PHI, Morris said. Violating these restrictions would then expose an employer to ERISA lawsuits, he said, because failing to operate the plan according to plan documents is a breach of fiduciary duty under ERISA.

Another potential source of employee lawsuits is the requirement that plan documents identify the personnel with access to PHI, Morris said. If a human resources (HR) person has seen an employee's PHI, any subsequent employment decision regarding the employee could be subject to litigation, and "we're going to have to convince a jury that other legitimate reasons were the sole motivator" for the decision, he said.

In this context, such a lawsuit would be "an easy claim to bring," Morris said. "It will have great public appeal," and could lend itself to class actions because "you're talking about the generic issues of how the information gets exchanged." One thing employers can do to "at least take yourselves out of punitive liability," he noted, is to "show that you did what was reasonable under the circumstances" by having employees with access to PHI sign acknowledgments of company policies and training.

HIPAA's privacy rules themselves do not give individuals the right to sue covered entities but, by establishing a national standard of care for the privacy of PHI, may provide a basis for state negligence lawsuits.

Structural Changes

Companies also may decide to reduce their liability by making structural changes, such as separating HR from employee benefits responsibilities, Morris said. "One of the topics we have been discussing is whether it is no longer a sensible risk situation" to have benefits administration personnel reporting to the HR department, he said, and "whether an independent line that doesn't report to HR doesn't give you some additional measure of protection."

Morris acknowledged that this type of change often may face institutional resistance. "You're talking turf here," he said. "That suggestion is not going to be easily and immediately embraced by a lot of folks."

Negligent Hiring

Another legal pitfall of HIPAA's privacy requirements is that they may hinder an employer's ability to determine if an employee poses a threat to coworkers or the public, Morris said. In the aftermath of workplace violence, for example, victims or their families frequently sue the employer for negligent hiring or retention, he said.

To prevent these incidents, "the employer wants information to know whether or not an employee does represent sufficient risk," Morris said. "There is a tremendous tension between ... this duty to create a safe workplace" and HIPAA's privacy rules, as well as the Americans With Disabilities Act (ADA), he said. "How do we reconcile those conflicting obligations? At this point, there's no easy answer."

For example, putting an employee on administrative leave pending the results of a psychiatric examination requires the disclosure of PHI, Morris said. While both HIPAA's privacy rules and the ADA provide exceptions to address these issues, he added, their scope and interaction are unclear -- HIPAA's rules refer to "emergency circumstances," the ADA to "direct threat."

Lutes and Morris spoke Feb. 1 at a Privacy and Data Security Summit sponsored by the International Association of Privacy Officers.

Reprinted with permission from the March 2002 newsletter of the Employer's Guide to HIPAA Privacy Requirements, © Thompson Publishing Group, Inc., 2002. All rights reserved.

BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.
© 2024 BenefitsLink.com, Inc.