The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires covered entities to abide by certain guidelines and rules that protect against the unauthorized use or disclosure of protected health information (PHI). Generally, covered entities may not use or disclose PHI unless you authorize such use or disclosure. Whether your employer has violated your HIPAA privacy rights depends on whether your employer qualifies as a covered entity, and on the circumstances under which your employer obtained or used your PHI.
HIPAA defines covered entities as health insurance plans, health care providers and health care clearinghouses — basically, anyone who provides health care or manages payment for health care. Accordingly, most employers will not automatically qualify as covered entities; only hospitals, doctors’ offices, and the like necessarily meet the statutory definition. But employer-sponsored ERISA group health plans do qualify as covered entities, and if your employer offers an ERISA group health plan, it must act on behalf of the plan in fulfilling its obligations under the HIPAA privacy rules.
Likewise, employers who offer any kind of health clinic operations to their employees or act as intermediaries between their employees and their health care providers must also abide by HIPAA privacy requirements. If your employer has taken advantage of its position as your group health plan manager or clearing house to access your PHI, your employer may have violated your HIPAA rights.
Contact Atlanta-based Reddy law Firm, P.C. if you feel your rights have been violated.