Q&A: When your employer is also your health insurer

March 6, 2009

When my employer, which is also a health insurer, asks me for personal health information, is that a HIPAA violation?

Q: I work as a physician for a healthcare-provider organization that employs more than 20,000 people. It operates as our employer and also as our insurer, through one of its subsidiaries. Next year's proposed health plan states that employees will be eligible for the Health Maintenance Organization and Preferred Provider Organization plans only if they fill out a substantive medical questionnaire, which essentially surrenders all of our medical information to the employer and the insurer simultaneously. If the questionnaire is not completed, only the high-deductible plan will be available. Does this policy comply with the Health Insurance Portability and Accountability Act?

A: Technically, the healthcare provider, which in this case is your company's insurance arm, isn't disclosing any health information to the employer and therefore isn't violating its duty as a HIPAA-covered entity. HIPAA is focused on requiring covered entities (any organization that regularly handles protected health information) to keep that information confidential and prohibits covered entities from releasing that information to anyone who isn't a covered entity or business associate of a covered entity. Here, however, the disclosure is being made by the individual, rather than by a covered entity, so there is nothing for HIPAA to control. There might be other issues involved, such as violation of state insurance and/or employment laws, but HIPAA isn't implicated here, as long as the insurer portion of the company does not disclose improperly after it receives the protected health information.