Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Very few companies�or their lawyers or chief financial officers�would expect that the return of uncashed medical reimbursement checks to employees drawn on one of the company’s group health plans would require them to navigate through issues of both state escheat law and the federal Health Insurance Portability and Accountability Act. Pub. L. No. 104-191, 110 Stat. 1936 (1996) (HIPAA). However, companies must do just that when deciding whether either to turn employees’ unclaimed payments over to the applicable state escheat authority or to roll them back into the company’s health plan. To decide this issue, employers must examine both the applicable state escheat law and HIPAA’s extensive privacy regulations. The place to start the analysis is with state escheat (or unclaimed property) law requirements. Many states have laws known as “escheat”-or abandoned and unclaimed property laws. These laws govern who will ultimately own and control abandoned or unclaimed property, and also require companies holding such property to turn over custody and control of the property to the state escheat authority. After a certain period of time, which is usually defined by state statute, these checks become escheatable (or unclaimed) property, and must be turned over to the state. Employers must consider state escheat law in deciding what to do with the return of uncashed medical reimbursement checks drawn on one of their group health plans. State escheat law will not allow companies simply to roll these funds back into their health plans. Failure to comply with these requirements will expose companies to penalties and fines. In New York, Pennsylvania and California, for example, noncompliance with their unclaimed property laws may result in fines plus liability for interest computed on the value of the property-with Pennsylvania even going so far as to allow for potential imprisonment of up to 12 months. See N.Y. Aban. Prop. Law, �� 1316, 1412; Penn. Stat. Ann. tit. 72, �� 1301.24, 1301.25; Calif. Code Civ. Proc. �� 1576, 1577. This analysis, however, is made more complex by HIPAA. True, at first glance, compliance with state escheat law on the issue of uncashed medical reimbursement checks seems fairly straightforward. But HIPAA’s implementing privacy regulations and state law pre-emption draw into question whether companies-in deciding what to do with these checks-can comply with state escheat law without violating HIPAA’s privacy regulations. One of HIPAA’s main objectives is to assure that individuals’ personal health information is properly protected while allowing for the efficient flow of health information needed to provide high-quality health care. In August 2002, the secretary of the U.S. Department of Health and Human Services adopted final privacy regulations under HIPAA governing certain individual health information. Known collectively as the Privacy Rule, 45 C.F.R. Parts 160, 164, these regulations pre-empt any conflicting state law, including state escheat law. The text of the privacy rule is available at http://cfr.law.cornell.edu/cfr (follow directions by filling in “45″ for CFR section and “160″ for CFR part, when prompted). The Privacy Rule specifically defines and limits the circumstances in which an individual’s “protected health information” may be used or disclosed by “covered entities”-which includes employer-sponsored group health plans. Protected health information is defined under the Privacy Rule as “individually identifiable health information” transmitted by or maintained in electronic media or any other form or media. 45 C.F.R. 160.103. In turn, individually identifiable health information is information, including demographic data, that relates to the individual’s past, present or future physical or mental health or condition; the provision of health care to the individual; or the past, present or future payment for the provision of health care to the individual. Individually identifiable health information is also information that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. 45 C.F.R. 160.103. Such information includes many common identifiers (e.g., name, address, birth date and Social Security number). 45 C.F.R. 160.103, 164.514. What’s a company to do? First, companies must evaluate whether these checks carry protected health information of covered employees. Medical reimbursement checks concern “payment for the provision of health care,” and usually include at least the name of the individual who received the health care (often along with additional information such as the individual’s Social Security number and the health care provider). Because such information constitutes protected health information, these checks trigger all of the protections delineated under the Privacy Rule limiting their use or disclosure. Second, companies must determine the extent to which certain protected health information may be used or disclosed. Generally, a covered entity may not use or disclose protected health information, except either as the Privacy Rule permits or requires, or as the individual who is the subject of the information authorizes in writing. The return of uncashed medical reimbursement checks necessarily implies that the company was unable to locate the individual, and therefore cannot obtain written authorization. Finally, the company must examine the Privacy Rule for permitted uses and disclosures. Section 164.502 of the privacy regulations addresses permitted uses and disclosures of protected health information. 45 C.F.R. 164.502(a)(1). Among the listed permitted uses and disclosures, a covered entity is permitted to use and disclose protected health information, without an individual’s authorization, “for treatment, payment, and healthcare operations activities.” 45 C.F.R. 164.502(a)(1)(ii). “Payment” encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual, and activities of a health care provider to obtain payment or be reimbursed for the provision of healthcare to an individual. 45 C.F.R. 164.501. Since medical reimbursement checks effect “payment” for health care delivered to an individual, the protected health information these checks contain can be disclosed to a state escheat authority without violating HIPAA’s Privacy Rule. It is important to remember, though, that HIPAA also requires covered entities to make reasonable efforts to limit disclosure to the minimum necessary to accomplish the permitted purpose. Under state escheat law, uncashed medical reimbursement checks to employees should be turned over to the state escheat authority and cannot be rolled back into a company’s health plan, even though these checks contain “protected health information.” The transfer of such checks over to the state does not violate HIPAA. HIPAA’s Privacy Rule allows the disclosure of protected health information for the “payment” of an individual’s health care, and these reimbursement checks constitute payment under the Privacy Rule. Companies should be careful, however, to minimize the disclosure of such personal information to the extent necessary to comply fairly with the applicable state’s escheat law. Paul D. Sullivan is a corporate associate at Pittsburgh’s Hull McGuire, where he practices in the areas of corporate transactions, international law and taxation.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.