Responsibilities of Employers Under Proposed Privacy Rule

By Mary R. Anderlik
Health Law & Policy Institute

Employers obtain access to highly personal health information of employees through a variety of channels, and existing laws do little to restrain or regulate this activity. The Americans with Disabilities Act restricts pre-employment and post-employment inquiries but not inquiries at the conditional offer stage of employment, and at least one court has held that it does not protect information obtained through claims processing. Employees may find that when they seek benefits their lives become an open book for human resources personnel.

A previous article provided an overview of the proposed privacy rule recently published by the U.S. Department of Health and Human Services (HHS). This article asks whether the proposed rule offers reassurance to individuals concerned about access to and use of their health information by employers.

Direct regulation under the rule is limited to "covered entities," i.e., health plans, health care clearinghouses, and health care providers who transmit health information electronically. The preamble to the rule concludes that, in general, employers would not be covered entities and hence would not be subject to use and disclosure requirements. Individually identifiable health information created or received by an employer as employer would not be protected under the rule. Further, the rule would permit covered entities to disclose individually identifiable health information to third parties without individual authorization for purposes of payment. Payment is broadly defined. For example, a health plan would be permitted to disclose health information protected under the rule to an employer in connection with determining the experience rating for group coverage.

The drafters of the rule considered a prohibition on any disclosures of individually identifiable health information by covered entities to employers without individual authorization or, as an alternative, a requirement that covered entities enter into contractual relationships with employers incorporating privacy standards before disclosures could occur. Neither approach was adopted because "we were concerned that we might disrupt some beneficial activities if we were to prohibit or place significant conditions on disclosures by health plans to employers."

On the other hand, the rule states that an employer acting as a health plan or health care provider would be a covered entity, and individually identifiable health information created or received by an employer in such a role would be protected. An employer-sponsored self-funded health plan could easily meet the definition of health plan, and an employee assistance program could meet the definition of health care provider, particularly if services are offered directly. An entity consisting of several different components would be required to create barriers between its components, meaning employers performing insurance functions or providing health care would have to create internal "fire walls" to prevent health information from reaching staff responsible for general employment functions such as hiring, placement, evaluation, promotion, and termination.

Disclosure of information to an employer for use in employment determinations would require individual authorization. Also, covered entities could not condition services on signature of an authorization. Since an employer as employer is not a covered entity, this prohibition would not prevent an employer from conditioning employment on the provision of a requested authorization.

In sum, the proposed rule would provide some protections to employees, but it is not a comprehensive response to privacy problems in employment. HHS is inviting comment on the extent to which employers currently receive protected health information about their employees, the activities involved, and whether any of these activities could be accomplished with de-identified information. Some change is therefore possible, although the agency’s authority is limited. In the absence of action by Congress, private sector activity assumes great importance. It is significant, then, that the National Committee for Quality Assurance has adopted a standard for the year 2000 that would require health plans to have policies that prohibit sending identifiable health information to fully insured or self-insured employers without individual consent. See http://www.ncqa.org/pages/communications/news/confrel.htm.

12/16/99