Employee Benefits Compliance

Think You Don’t have PHI? Check Again

leavitt employees

Many employers who sponsor insured group health plans incorrectly believe that they are not subject to any HIPAA privacy and security requirements because they do not have “protected health information” (PHI). Actually, many of these employers do have PHI or electronic PHI (ePHI), they just don’t realize it. Even if you do not have PHI, you still have several obligations under HIPAA (the Health Insurance Portability and Accountability Act).

This article lists many common and not-so-common examples of PHI and also lists exemptions from HIPAA Privacy and Security rules and examples of information that is NOT PHI. Additionally, it explains other HIPAA requirements that apply to plan sponsors even if they do not have PHI.

Definition of PHI

“Protected Health Information” or PHI is defined very broadly as is “individually identifiable health information,” including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.  (45 C.F.R. § 160.103) There are several exclusions under HIPAA, for employment records held by an employer and certain records held by educational institutions under the Family Educational Rights and Privacy Act (FERPA).

Examples of PHI and ePHI

Here are some common examples of PHI and electronic PHI (ePHI). If you sponsor a fully-insured plan and your intent is not to have PHI or ePHI, check to make sure you don’t inadvertently have or receive PHI.

  • Enrollment and disenrollment data may become PHI once it is “touched” by the covered entity. For example, enrollment data is not PHI if employees enroll through the employer, but once the employer sends it to the insurer it probably becomes PHI. If the insurer subsequently sends back the information so the employer can cross-check that enrolled individuals are current employees (e.g., a “list bill” situation), the enrollment information coming back from the insurer to the employer probably is PHI.
  • Claims, including receipts for medical expenses
  • Copies of Explanations of Benefits (EOBs) and medical providers’ bills
  • Participants’ HIPAA authorizations  (these identify what PHI they are authorizing to be disclosed)
  • Health plan participants’ appeals of denied claims (if information provided includes medical information from the health plan)

Potential PHI and ePHI

Below are examples of individually identifiable information that might be considered PHI or ePHI.  If you store or disclose any of this information, you should consider whether you need it, and if so, whether you should apply HIPAA privacy and security safeguards to it.

  • A notation in your benefit plan or accounting file that a plan owes a certain amount to a medical provider on behalf of a particular participant.
  • Information about the status or dollar amount of a participant’s pending claim or appeal for health plan benefits, even if it does not specify the nature of the claim.
  • If you include health FSA reimbursement information on employees’ pay stubs, that information might be considered PHI.
  • If your photocopiers, fax machines and other devices store information that is copied, scanned or faxed, you may inadvertently be storing PHI. You not only need to apply HIPAA privacy and security protections to the stored information, but also be sure to remove any PHI prior to disposal or removal, such as at the end of a lease period for a copy machine.

Examples of Health Information that is NOT PHI

The HIPAA regulations do specify some information that is not considered PHI.  Note that some information is PHI if it is created, held or disclosed by a particular entity (e.g., by a medical provider or a health plan), but is not PHI if that same information is held by another entity (e.g., by an employer in its role as “employer”).  Following are some examples of individually identifiable health information that is not PHI.

  • Health information in employment records that is used to carry out obligations as an employer. Examples (cited in the Preamble to the HIPAA regulations) include records needed by the employer to carry out its obligations under the FMLA, ADA, and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, sick-leave requests, drug screenings, workplace medical surveillance, and fitness-for-duty tests of employees. However, other privacy requirements (such as in the Americans with Disabilities Act and state privacy laws) still could apply to the health information that is held in employment records.
  • Drug and Alcohol Test results are not PHI when held by the employer, but they are considered PHI when held by a health care provider that is a covered entity for purposes of the HIPAA privacy rule, for example when a medical provider does a pre-employment or post-accident drug test on an applicant or an employee.
  • A health FSA or Health Reimbursement Account (HRA) that is administered in-house and has fewer than 50 participants is not subject to HIPAA’s privacy rules.

Plan Sponsor Activities that Likely Involve PHI

Even if you offer an insured group health plan, you might also engage in some of the following activities.  If so, you likely have access to PHI.  For example, if you:

  • Self-administer your Health Flexible Spending Account (HFSA) or Health Reimbursement Account (HRA)
    • Many employers who offer only fully-insured health plans also offer a HFSA or an HRA as well. These are self-funded plans.
    • However, self-funded plans are not subject to HIPAA if they are small (under 50 participants) and are self-administered. You should still take steps to protect individually identifiable health information even if your HFSA or HRA is not subject to HIPAA.
  • Offer a Wellness Program and receive individuals’ data from the program (e.g., results of biometric screenings and/or Health Risk Assessments), even if you just transmit the data to a third party with whom you have a Business Associate Agreement (BAA)
  • Help employees or dependents resolve claims or disputes with carriers
  • Review appeals from claims denials
    • If you offer a HFSA for which you hire a TPA, but you make the final determination if a participant appeals a HFSA claim denial, then you are reviewing appeals from claims denials.

HIPAA Obligations of Employers who do NOT Have PHI

Even if an employer sponsors an insured plan and does not have PHI, it still does have the following HIPAA obligations:

  • The plan must comply with breach notification requirements in the Health Information Technology for Economic and Clinical Health Act (HITECH Act). If the insurer, plan sponsor or a business associate discovers there has been a breach of unsecured PHI, this must be reported to affected individuals and to HHS. Additionally, if the breach involved the PHI of more than 500 individuals in one jurisdiction, it must be reported to local media outlets as well.
  • Neither the plan (insurer) nor the plan sponsor can require an individual to waive his or her privacy rights under HIPAA (for example, require the individual to agree to disclosure of PHI) as a condition of treatment, payment, enrollment or eligibility for benefits.
  • The plan (insurer) and plan sponsor cannot intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individuals for:
    1. exercising or refusing to waive their rights under the HIPAA rules;
    2. participating in any process provided for by the HIPAA rules, including the filing of a complaint;
    3. testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under the HIPAA regulations; or
    4. opposing any act or practice that is illegal under HIPAA, if such individuals have a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of PHI in violation of the HIPAA regulations.

Obligation to Safeguard PHI even if Patient Authorization is Not Required

HIPAA requires that covered entities protect patients’ PHI not only by safeguarding PHI they hold, but also by obtaining patient authorization before using or disclosing PHI (except for specified purposes).  If you do obtain PHI, even inadvertently, keep in mind that these are two separate obligations.  Some specific examples of purposes for which written authorization is not required for use or disclosure of PHI, but the employer still must safeguard any PHI it holds:

  • Treatment, Payment and Healthcare Operations
  • Public health and safety
  • Law enforcement
  • Investigations by certain federal government agencies
  • Judicial subpoenas


Since HIPAA requirements are complex and most groups receive detailed invoices (aka “list bills”), we recommend that all group health plan sponsors review HIPAA requirements and take an “over-broad” approach to compliance. This is particularly true since the HHS Office for Civil Rights (OCR) has stepped up its HIPAA audits.

Next Steps for Employers

Group Health Plan sponsors should review their compliance with HIPAA’s Privacy, Security and Breach Notification Rules, and take any necessary steps to ensure they are in compliance with all applicable HIPAA requirements. Specific action steps include:

  • List all benefit plans you offer to employees and determine which ones would be considered “covered entities” under HIPAA. Examples of covered entities include medical (including prescription drug, dental and vision), wellness, HFSAs and HRAs. Plans that are not covered entities under HIPAA include life, disability, workers’ compensation and leave plans.
  • Review what activities you do that might involve PHI, and where you store individually identifiable health information you obtain through these activities.
  • Review the lists above of what is and is not PHI, and if you are or might be getting PHI, consider the alternatives. Could you do without that particular information? Could you hire a third party to handle it? Or do you need to recognize that it is PHI and protect it accordingly?
  • Make sure you are complying with those HIPAA obligations that do apply even to plan sponsors who do not have PHI or ePHI.
  • Remember that if you do get PHI, you are required to safeguard it even when you are not required to obtain participant authorization to disclose or use it.