The Health Insurance Portability and Accountability Act (HIPAA) and its accompanying regulations, have now been in effect since 2003-2004. Despite this span of nearly 16 years, HIPAA is still poorly understood and, in some contexts, poorly complied with.

Perhaps one of the least understood aspects of HIPAA is that it has separate and distinct regulatory schemes for healthcare providers and employer-sponsored health plans. These two dimensions of HIPAA will be referred to as the “medical” and “employment” sides of HIPAA,

The medical side of HIPAA is familiar to most and is the best understood. It requires healthcare providers to protect patient health information in a variety of ways, both technically and administratively.  It further requires honoring a new set of “patient rights” and remedial action for breaches of patient privacy. The medical side of HIPAA has seen active, and at times, aggressive enforcement, especially in the past five years.  To date, there have been criminal prosecutions as well as numerous civil penalties, the highest to date being $2.3 million.

By contrast, the employment side of HIPAA is unfamiliar to many, and compliance among employers is estimated to be less than 25 percent. The employment side of HIPAA applies to all employers who sponsor employee benefit plans (health, dental, vision, FSA, HRA and HSA).  Though all employer-sponsored health plans have legal obligations under HIPAA, the level of the compliance obligations depends largely on two factors: (1) whether the health plan (or any component thereof) is fully insured, self-insured or partially self-insured; and (2) whether the employer, as plan sponsor, keeps or maintains health benefit information regarding its employees.

For example, if an employer has a traditional fully-insured health plan and keeps or maintains no health information as part of the plan, the employer will only have minimal compliance obligations and those will likely be performed by the health insurance company. 

However, if the employer self-insures its health benefits, in whole or in part, or, if the employer keeps or maintains any health information as part of its health benefit plan, full HIPAA compliance is required.  If an employer has an FSA, a deductible buy-down plan, an HSA or HRA, these features are considered partial self-insuring and trigger full HIPAA compliance. As can be seen, many, if not most, employers will fall into the “full HIPAA compliance” category.

What does “full compliance” mean?  Full compliance with HIPAA employment regulations includes the following:

  • Appointment of privacy and security officers
  • Training of HR and health benefits personnel
  • Written HIPAA policies and procedures
  • Providing a Notice of Privacy Practices to all health plan participants
  • An extensive array of administrative, physical and technical safeguards to protect employee health plan information
  • Execution of Business Associate Agreements with third parties who help administer the employer’s health plan
  • Recognition and protection of the HIPAA rights of health plan participants

The employment side of HIPAA involves complexities not found on the medical side. Fortunately, the employment side is not yet being aggressively enforced by the federal government. For these reasons and others, many employers have not yet seen the need to determine their compliance obligations. Thus, these dual dimensions of HIPAA create an ongoing dilemma, particularly on the employment side. Wise employers will act now to retain competent professionals to assess their HIPAA compliance obligations and, if compliance is required, will take action to meet those obligations.  Waiting for the enforcement shoe to drop is an unwise strategy!

To discuss this or other healthcare-related matters, contact J. Kevin West at (208) 562-4900 or send an email to