A common misconception is that all health information received by an employer is subject to HIPAA. For HIPAA compliance
purposes, the key distinction is whether the information is created, received, or maintained in connection with an employer’s group health plan. HIPAA governs the privacy and security of protected health information (PHI), which is individually identifiable health information that is created, received, or maintained by a HIPAA covered entity, or on a covered entity’s behalf by a business associate (for example, a third party administrator or wellness vendor), and that relates to an individual’s past, present, or future physical or mental health or condition (see Practice Note, HIPAA Privacy Rule: Types of Information Covered By the Privacy Rule (4-501-7220)). HIPAA covered entities include:
Health plans (for example, employer-sponsored group health plans, health insurance companies, and health maintenance organizations (HMOs)).
Health care providers that conduct electronic transactions (for example, hospitals, doctors, medical clinics, psychologists, dentists, nursing homes, or pharmacies) (see Practice Note, HIPAA Electronic Transactions Under the ACA (9-517-3369)).
Health care clearinghouses. (45 C.F.R. § 160.103; see Practice Note, HIPAA Privacy Rule: Entities Subject to the Privacy Rule (4-501-7220).) Employers may receive health information in connection with administering other employee benefits (for example, workers’ compensation claims, disability claims, or life insurance) that are not maintained by the group health plan and therefore are not subject to HIPAA compliance.
Employers that sponsor group health plans and related wellness programs face new issues involving how and when HIPAA applies to health information that plan participants create, manage, or organize using a health app.