When HIPAA applies to employer-provided health plans

HIPAA’s Privacy and Security Rules apply to employer health plans that receive, use, and disclose protected health information (PHI) related to an employee’s medical care, treatments, or claims.

Using American Airlines’ health plan as an example

American Airlines’ health plan policy provides detailed guidance on when and how they handle PHI, covering situations like individual access, operational use, and legal exceptions.

Their plan restricts PHI use to clearly defined instances:

• Direct access by the individual: HIPAA gives individuals, or their personal representatives, the right to access their PHI. American Airlines’ plan states “the Plan only will use or disclose PHI… to the individual involved or their personal representative.”
• Treatment, payment, and health care operations: HIPAA allows PHI to be used without further authorization when necessary for “treatment, payment, or health care operations,” as the American Airlines policy states. It allows health plans to process claims, determine eligibility, and manage treatment coordination, all while remaining compliant with HIPAA.
• Legal exceptions: In certain cases, HIPAA allows PHI disclosures without individual consent, like when complying with law enforcement or legal mandates. American Airlines’ health plan specifies that PHI disclosure is permitted if it is “required by law,” or “pursuant to a subpoena,” among other exceptions listed in HIPAA’s Privacy and Security Rule.
• Plan administration: HIPAA’s minimum necessary rule mandates that only essential PHI be shared for administrative purposes. American Airlines’ plan notes that PHI may be disclosed “to the Company for plan administrative functions or as otherwise permitted under the Privacy & Security Rule.”

Protections for genetic information

HIPAA and the Genetic Information Nondiscrimination Act (GINA) prohibit health plans from using genetic information in underwriting specifically for determining eligibility, benefits, or premiums. 

American Airlines explains that "the Plan will not use or disclose PHI that is genetic information for underwriting purposes," including "for any determinations of eligibility or benefits, and the computation of premium and contribution rates." 

Ultimately, the intersection of HIPAA and GINA prevents discrimination against employees on genetic grounds.

Authorization and revocation rights

HIPAA also gives individuals the right to authorize or revoke PHI disclosures. As American Airlines’ plan states, “individuals may revoke an authorization at any time,” but “the revocation will not apply to disclosures where the plan already has relied on the authorization.”

However, individuals must contact the relevant party for revocation to maintain control over their health data.

Security measures for electronic PHI

Protecting PHI in digital formats is another aspect of HIPAA compliance, especially when using electronic communications. HIPAA compliant email solutions, like Paubox, use advanced security measures like access controls, authentication, and automatic encryption to prevent unauthorized PHI access and uphold HIPAA’s Security Rule.

Furthermore, American Airlines’ health plan describes using:

• Minimal PHI in emails: PHI in emails must be limited to the minimum necessary. The policy advises employees to “refrain from forwarding strings of email messages containing PHI,” encouraging them to prepare new messages with only essential details.
• Encryption and IT Security: The plan mandates encryption for electronic PHI, along with access control measures like “locking screensavers” and “network monitoring software, including intrusion detection and reporting.” 
• IT guidelines for data retention: In line with HIPAA, American Airlines maintains clear data access and retention procedures, limiting remote access to secure methods and following “company IT guidelines regarding electronic data,” so PHI is only accessible when needed.

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQs

What is the HIPAA Privacy Rule?

The Privacy Rule governs the use and disclosure of protected health information (PHI). So, covered entities, like healthcare organizations and health plans, must keep patient information confidential and only share it for treatment, payment, and healthcare operations, or with patient consent.

What is the HIPAA Security Rule?

HIPAA’s Security Rule mandates safeguards to protect electronic PHI (ePHI). Covered entities must implement measures to prevent unauthorized access, use, or disclosure of PHI.

What is protected health information (PHI)?

PHI includes any information about health status, provision of health care, or payment for health care that can be linked to an individual and is protected under HIPAA regulations.