Editor’s Note: John Crolle is a member of the Business Section and Health Care Practice Group of Ward and Smith, P.A.

RALEIGH – It certainly seems logical that if your company is not involved in the provision or management of health-care services, then the requirements of the Health Insurance Portability and Accountability Act ("HIPAA"), which, among other things, mandates certain treatment of medical information about individuals, does not apply to your company.

However, because one of the purposes of HIPAA is the protection of certain health information, depending on the specific circumstances surrounding your company’s group health plan, your company may be required to comply with certain HIPAA provisions. If applicable, your company’s failure to comply with HIPAA’s requirements can result in significant expense and administrative burdens for your company.

What is HIPAA?

Almost everyone has heard of HIPAA, but what is it? HIPAA is a federal law passed in 1996 that reformed certain aspects of the health-care industry. One of the most significant goals of HIPAA is increasing the protection and privacy of individuals’ health information.

HIPAA regulates the use and disclosure of "protected health information" ("PHI"). For purposes of HIPAA, PHI includes information relating to an individual’s physical or mental health and the provision of, or payment for, an individual’s health care, if the information is individually identifiable – meaning it contains information such as the person’s name, address, date of birth, social security number, or other information that could be used to identify a specific person. HIPAA requires that, except in specifically enumerated circumstances, before a person or entity subject to HIPAA may disclose PHI to another person or entity, the disclosing person first must obtain authorization for the release from the individual whose PHI is intended to be released.

Who Must Comply With HIPAA?

HIPAA applies to "covered entities" and "business associates" of covered entities. Covered entities generally include health-care providers, health plans, and health-care clearinghouses.

Business associates of covered entities are those persons or entities that have access to PHI as a result of a contractual relationship with a covered entity to perform services that involve the use or disclosure of PHI.

How Does HIPAA Apply to Employers?

While employers in general, including those who sponsor group health plans, are neither covered entities nor business associates of covered entities, they still may be subject to HIPAA if they do, in fact, sponsor a group health plan. This is because the regulations relating to group health plans place stringent conditions on the disclosure of PHI of participating employees from the group plan to the plan sponsor. The compliance requirements imposed on an employer that is a plan sponsor will vary depending on the type of group plan, the employer’s level of access to employee PHI, and the employer’s involvement in the administration of the group plan.

For employers that sponsor fully insured plans and have very limited access to PHI, the requirements may be as simple as ensuring that there is no retaliation against employees who exercise their HIPAA rights and that plan participants are not permitted to "waive" their rights under HIPAA.

For employers that sponsor other types of plans and that have more extensive access to PHI, compliance can be much more complicated. Such employers may be required to:

  • adopt a privacy policy
  • prepare a notice of privacy rights for plan participants and actively distribute it to plan participants
  • appoint a HIPAA compliance officer
  • train all employees with access to PHI on privacy requirements and procedures
  • limit the employees with access to PHI
  • discipline employees who violate the privacy policy and mitigate the harm caused by the violation
  • store all PHI in a secure location
  • enter business associate agreements in which all business associates agree to comply with HIPAA regulations
  • explain the rights of plan participants to the participants and ensure that they are allowed to exercise those rights without retaliation.

Enforcement of HIPAA regulations

The U.S. Department of Health and Human Services ("DHHS") generally enforces HIPAA. DHHS may assess civil penalties of $100 per violation on each person committing a violation, with a maximum annual penalty of $25,000 for all violations of an identical requirement or prohibition.

It is also a criminal offense for a person or entity to knowingly obtain or disclose PHI in violation of HIPAA or the related regulations. The U.S. Department of Justice handles criminal violations of HIPAA. Conviction for a criminal violation of HIPAA may result in substantial fines (possibly hundreds of thousands of dollars), imprisonment for up to ten years, or both. These obviously are significant penalties.


The determination of whether an employer is required to comply with HIPAA regulations and, if so, the employer’s compliance requirements can be made only after an evaluation of the specific facts of the employer’s involvement with the group plan. Failure to comply as required can result in an employer and its employees being subject to significant monetary penalties, additional administrative costs, and even imprisonment. Accordingly, if your company sponsors a group health plan, you should consult with a legal advisor who has expertise in the area of HIPAA compliance to determine the extent, if any, to which your company is required to comply with HIPAA and, if so, the steps necessary for compliance.

© 2007, Ward and Smith, P.A.

Ward and Smith, P.A. provides a multi-specialty approach to the representation of technology companies and their officers, directors, employees, and investors. John Crolle practices in the Business Section and Health Care Practice Group, where he concentrates his practice on business start-ups, acquisitions, and transactional matters. Comments or questions may be sent to jpc@wardandsmith.com.

This article is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this article without obtaining the advice of an attorney.