We often get requests from our customers for more detailed information about their organization’s utilization of EAP services. Employers have a legitimate need to understand how their money is being spent. Some also want to use the data to better address specific issues that their employees and their families might be experiencing. EAPs and other benefits companies—especially health insurance organizations—would like to respond to their customers’ needs, but are stymied by the necessity of complying with the regulations set forth in HIPAA.
Since April 13, 2003, all health care organizations have been required to comply with guidelines protecting an individual’s health care information. There is a great deal of detail in the Act but, in short, this federal law states that we all have privacy rights and your health information is protected. The law states that no one can release your health care information without your permission. (Detailed information is available at the Health & Human Services, Office for Civil Rights—HIPAA).
Health care organizations, such as hospitals and group health plans, must comply with the law. Physicians are also subject to the provisions of the law. Penalties for noncompliance can be sever—the HIPAA Blog reports on one company that paid $15 million in penalties for breaching personal data.
Many gray areas
When it comes to protecting an individual’s medical notes, interpreting and complying with this law is fairly straightforward. Matters become more complex when we start talking about insurance claims data. For instance, suppose you work for a small- to mid-sized company, and one of your employees has been out sick for a period of time. When you later get a claims report from your medical insurer that shows a spike in mental health claims that coincide with this absence, the picture is fairly obvious. Does “putting two and two together” constitute a breach of HIPAA regulations? This is a much more difficult question to answer.
For the short term, employers should expect that benefits organizations will be extra cautious about the information they release. That will make benefit purchase decisions more difficult. It is also likely to cause unwanted friction between benefits companies and the customers they serve.