Business of Well-being

Offering a Worksite Clinic? It's not Just HIPAA You Need to Worry About

Offering a Worksite Clinic? It's not Just HIPAA You Need to Worry About

Worksite clinics are increasing in popularity, and no longer limited to Fortune 500 companies. Depending on the design, worksite clinics are proving to be a valuable wellness option for employers with as few as 250 employees. Even public employers are getting on board and choosing worksite clinics as a way of increasing employee productivity and controlling rising healthcare costs.

While the advantages may outweigh any compliance obligations, employers considering a worksite clinic should be aware that it isn't just privacy and HIPAA concerns that come into play. Numerous other regulatory laws must be considered. It may come as a surprise to many employers that a worksite clinic offering more than limited first aid or providing benefits to 1099 workers or family members of employees is in most cases a group health plan subject to ERISA.

This means that the worksite clinic is subject to plan documentation, fiduciary and reporting and disclosure requirements such as annual filing of a Form 5500 and distributing a summary plan description to employees describing the benefits offered at the clinic.

A strategy for streamlining these obligations is to offer the clinic as part of your group health plan. Combining your worksite clinic and group health plan also can aid in ensuring any financial or other incentives for using the clinic do not violate the Americans with Disabilities Act (ADA); however, the legal considerations are complex and combining the plans is not always advisable.

Another concern is how to handle COBRA obligations that may arise from offering a worksite clinic. There is no exemption from COBRA for a worksite clinic that provides more than first aid during working hours. Whether offered separately or as part of an employer's group health plan, many practical concerns arise when considering how to make continuation coverage for clinic visits available to former employees and their dependents, if applicable.

In addition to the practical issue of how to value the coverage for purposes of setting the COBRA premium, safety and morale issues may arise when access to the worksite is provided to former employees. The value of the coverage provided by the worksite clinic also is an important factor in several other contexts.

For example, offering a worksite clinic to employees could jeopardize an employee's eligibility to make and receive Health Savings Account (HSA) contributions. Generally, to be eligible for a HSA, the employee may not have other coverage except for preventive care and certain other limited coverage for accidents, disability, dental care, vision care and long-term care.

Most worksite clinics go beyond this limited scope of care, and employers must either limit participation for employees in high deductible health plans with HSA coverage or consider other benefit options. The value of the worksite clinic coverage also must be included in the employer's W-2 reporting of the value of group health plan coverage (whether or not combined with the employer's group health plan) and may be included in determining whether the "Cadillac" tax applies.

In 2018, a 40 percent excise tax will be imposed on the insurance carrier, employer or third party administrator depending on the type of coverage for benefit values under a group health plan in excess of $10,200 for individuals and $27,500 for families.

Unless future guidance provides relief, the value of worksite health clinic coverage will be included in determining whether the employer-sponsored coverage exceeds the permissible limits and is subject to an excise tax. Regulation as a healthcare provider also can be a huge concern if the employer is operating the clinic in-house as opposed to contracting with a third party provider.

Employers hiring clinicians directly should pay attention to state corporate practice of medicine laws and clinical licensing requirements. Medical malpractice issues also can arise based on theories of negligent hiring and negligent supervision. Whether hiring clinicians directly or through a third party provider, employers should review their contracts thoroughly to ensure they have limited liability to the extent possible.

Privacy is obviously a big concern when employees are visiting a worksite clinic for treatment. Employers need to be sure that there is adequate separation between the clinic and the employer's workforce. In some cases, it may be necessary to share information such as when the clinic is providing the employer verification of an employee's need for disability benefits or FMLA leave; however, the records of the worksite clinic should not be used for employment-based decisions.

Although HIPAA does not apply to the worksite clinic as a group health plan, HIPAA privacy and security obligations will apply to the clinic as a healthcare provider if it exchanges healthcare information electronically in connection with certain covered transactions, such as billing and care coordination.

The clinic also could have HIPAA obligations as a "business associate" under HIPAA.As noted above, the worksite clinic is not regulated under HIPAA portability, privacy and security requirements as a group health plan since it is considered an excepted benefit. However, many states impose additional privacy and data security requirements, as well as record retention requirements that will apply to a worksite clinic.

Adequate policies and procedures to ensure that information is not inappropriately shared by the worksite clinic with the employer's human resources department or others within the workforce is essential to prevent the information from being improperly used and triggering claims for violations of the ADA or other state and federal laws protecting employees and information regarding their health.

The state and federal laws protecting data privacy and security impose severe penalties on entities that fail to comply. For example, HIPAA penalties can be assessed against both the employer and its individual employees.

The penalties under HIPAA are capped at $1.5 million per type of violation per calendar year (with most privacy breaches involving several types of violations). In addition, we are seeing an increasing numbers of class action lawsuits for privacy and security breaches, which have resulted in settlements and awards in the millions of dollars.

Given the potential financial exposure, the privacy obligations remain the primary concern when bringing healthcare in-house, but the numerous other laws that are implicated should be considered when implementing the policies and procedures that govern the day-to-day operations of an on-site health clinic.

About the Author

Lorie Maring is an attorney with Fisher & Phillips LLP. She focuses her practice on helping employers navigate ERISA and other state and federal laws impacting the design, implementation and ongoing compliance of their employee benefit plans and programs.

Maring regularly advises clients on their reporting and disclosure obligations, qualified retirement plans (including 401(k), 457 and 403(b) plans), group health, life, disability and other welfare benefits; MEWAs, multiemployer plan issues, HIPAA and Health Care Reform Act.

She also works with clients to resolve employee benefits issues arising in bankruptcy, corporate transactions, and IRS and DOL audits. She serves clients in the public and private sector, including non-profit organizations and trade associations. Contact:, 404-240-4225

Learn about how you can become a Certified Corporate Wellness Specialist→