• Revenue Cycle Management
  • COVID-19
  • Reimbursement
  • Diabetes Awareness Month
  • Risk Management
  • Patient Retention
  • Staffing
  • Medical Economics® 100th Anniversary
  • Coding and documentation
  • Business of Endocrinology
  • Telehealth
  • Physicians Financial News
  • Cybersecurity
  • Cardiovascular Clinical Consult
  • Locum Tenens, brought to you by LocumLife®
  • Weight Management
  • Business of Women's Health
  • Practice Efficiency
  • Finance and Wealth
  • EHRs
  • Remote Patient Monitoring
  • Sponsored Webinars
  • Medical Technology
  • Billing and collections
  • Acute Pain Management
  • Exclusive Content
  • Value-based Care
  • Business of Pediatrics
  • Concierge Medicine 2.0 by Castle Connolly Private Health Partners
  • Practice Growth
  • Concierge Medicine
  • Business of Cardiology
  • Implementing the Topcon Ocular Telehealth Platform
  • Malpractice
  • Influenza
  • Sexual Health
  • Chronic Conditions
  • Technology
  • Legal and Policy
  • Money
  • Opinion
  • Vaccines
  • Practice Management
  • Patient Relations
  • Careers

Q&A: When your employer is also your health insurer


When my employer, which is also a health insurer, asks me for personal health information, is that a HIPAA violation?

Q: I work as a physician for a healthcare-provider organization that employs more than 20,000 people. It operates as our employer and also as our insurer, through one of its subsidiaries. Next year's proposed health plan states that employees will be eligible for the Health Maintenance Organization and Preferred Provider Organization plans only if they fill out a substantive medical questionnaire, which essentially surrenders all of our medical information to the employer and the insurer simultaneously. If the questionnaire is not completed, only the high-deductible plan will be available. Does this policy comply with the Health Insurance Portability and Accountability Act?

A: Technically, the healthcare provider, which in this case is your company's insurance arm, isn't disclosing any health information to the employer and therefore isn't violating its duty as a HIPAA-covered entity. HIPAA is focused on requiring covered entities (any organization that regularly handles protected health information) to keep that information confidential and prohibits covered entities from releasing that information to anyone who isn't a covered entity or business associate of a covered entity. Here, however, the disclosure is being made by the individual, rather than by a covered entity, so there is nothing for HIPAA to control. There might be other issues involved, such as violation of state insurance and/or employment laws, but HIPAA isn't implicated here, as long as the insurer portion of the company does not disclose improperly after it receives the protected health information.

Recent Videos