Search form

Federal Rules Protecting Privacy of Employee Health Information Take Effect

  • July 1, 2001

Insurance, health care provider and pharmacy records containing confidential personal health information are now subject to stiffer privacy protection under regulations issued by the Department of Health and Human Services, as empowered by the federal Health Insurance Portability and Accountability Act of 1996, or HIPAA. Until recently it was left to the states to protect this type of confidential and personal information. The federal regulations were designed to cover the weaknesses in many of those state laws while preserving the stronger protection in areas such as mental health, HIV infection, and AIDS information. The rules took effect April 14, 2001, but most employers affected by the rules have until April 14, 2003 to comply. This is Part I of a two-part article.

The basic principle of the new rules is simple: "covered entities" cannot use or disclose "protected health information" except with the consent or authorization of the patient or as permitted under the regulations.

Who Are Covered Entities?

The rules apply to "covered entities," a term broadly defined to include most health plans, health care clearinghouses, health care providers, and their "business associates," i.e., those who perform services for such entities, like claims processing or administration, billing, data analysis, consulting or other related services. HHS states that an employer is a not a covered entity. However, an employer involved in the administration or operation of its plan through the claims review process or claims processing may become a covered entity subject to the rules. Also, the privacy rules will have an impact on employer compliance efforts with other employment laws, such as the Family and Medical Leave Act and the Americans with Disabilities Act.

What is Protected Health Information?

The final rule protects medical records and other individually identifiable confidential health information, in any form, whether written, electronic or oral, that is used or disclosed by a covered entity.

Patient Control over Protected Health Information

Covered entities must inform individuals (in written or electronic form) of their privacy rights, including the following rights:

  1. to see and obtain copies of protected information;
  2. to request amendments to protected information;
  3. to be notified how a covered entity intends to use and disclose protected information and of non-routine disclosures;
  4. to request that covered entities restrict use and disclosure of protected information; and
  5. to formally complain to a covered entity or to the Secretary of HHS regarding violations of rules and policies.

©2001 Jackson Lewis P.C. This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Jackson Lewis and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.

Focused on labor and employment law since 1958, Jackson Lewis P.C.'s 950+ attorneys located in major cities nationwide consistently identify and respond to new ways workplace law intersects business. We help employers develop proactive strategies, strong policies and business-oriented solutions to cultivate high-functioning workforces that are engaged, stable and diverse, and share our clients' goals to emphasize inclusivity and respect for the contribution of every employee. For more information, visit