Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Some of the most pressing questions concerning HIPAA privacy, including how to determine covered entities, what rules apply to a fully insured group health plan, and whether the privacy rules apply to workers’ compensation were the topic of a recent teleweb seminar offered by the International Foundation of Employee Benefit Plans (IFEBP). Phyllis C. Borzi, an attorney who specializes in ERISA and other legal areas affecting employee benefit plans, addressed these, and other “top 10″ frequently asked questions, about the privacy regulations that were finalized in August. This summary should assist employment attorneys counsel their clients regarding HIPAA privacy issues. 1. How can I tell if I am a covered entity? Borzi reviewed the definition of a covered entity, which is any health plan, health care clearinghouse, or health care provider that transmits protected health information (PHI) in electronic form in connection with a HIPAA transaction. A covered health plan is any group health plan with 50 or more participants that is self-administered, any group health plan of any size that is administered by other entities (including both ERISA and non-ERISA plans), and non-federal governmental plans. Covered health plans also include health insurance issuers, HMOs, Medicare and MedicaidChoice plans, Medicaid and SCHIP programs, federal employees health benefits programs, and MEWAs (regardless of whether they are plans under ERISA). There are some special rules for small health plans. Self-administered plans with fewer than 50 participants are exempt from the rules, and there is a deferred effective date (April 14, 2004) for plans that have annual receipts of $5 million or less. Recent Centers for Medicare and Medicaid Services (CMS) guidance has defined receipts for insured plans as premiums paid. For self-insured plans, receipts are the total claims paid by the employer, plan sponsor or fund. For plans with both insured and self-insured elements, Borzi suggested that they combine the two numbers to determine their receipts. It is important to remember that only the plan is considered to be a covered entity, but if an entity performs services for the plan, there are ways it can be affected by the rule as well. For example, a covered entity can only share PHI with another entity if that entity has an individual authorization from the person who is the subject of the PHI, or if the privacy rules otherwise allow it. There are, however, special rules for sharing PHI with employers and other plan sponsors and with business associates. Other non-health benefits plans, such as pension, disability, and life insurance plans, are not covered by the rules, even if they collect health information for reasons such as determining eligibility. Borzi noted that this may be a problem for entities that maintain integrated databases for their benefit plans because only the group health plan is covered by the rules, and sponsors are not permitted to use group health plan PHI for purposes of other benefits. Borzi suggests that where integrated databases are maintained, the input of data from the health plan should be stopped after the compliance date of the rules and some other plan or administrative function should maintain the database so that no one else is getting the information from the group health plan. 2. What is protected health information? Protected health information, or PHI, is defined as individually identifiable health information that is transmitted or maintained by electronic media or in any other form or medium. Individually identifiable information is health information that (1) is created or received by a health care provider, health plan, employer or health care clearinghouse that related to an individual’s past, present or future health or condition, receipt of health care or payment for health care, and (2) which identifies an individual or create a reasonable basis to believe the information can be used to identify the individual. The recently finalized privacy rules clarify that PHI does not include employment information maintained by a covered entity as an employer. That information can be PHI even if it is not clinical or medical information seems to be a source of confusion for many people, Borzi noted. For example, an electronic file with an employee’s name, address, social security number, and eligibility information (such as hours worked) could be PHI. Another source of confusion is that unless the information is created or received by a covered entity, it is not PHI, even if it is medical information. For example, medical information that is revealed by a participant to a trustee, business agent, or employee is not PHI. Even if the trustee or agent is receiving the information in order to interact with the plan on the participant’s behalf, they can freely give the information to the plan. However, in order for the trustee or agent to get a response from the plan, they would then need to have an authorization from the participant to receive that information. 3. Am I a business associate? Business associates are persons that perform, or assist a covered entity in performing, an activity that involves the use or disclosure of individually identifiable health information or any other function regulated by the privacy rules, or who provide certain services to or for a covered entity. Key to this definition, though, is that the service in question must involve the use of PHI. Borzi noted that it is possible for a covered entity to be the business associate of another covered entity. Even though both entities are directly covered by the privacy rules, they will still need to create an agreement to govern the activities that involve the use of the PHI. The typical business associates of a group health plan include TPAs; PPOs, HMOs and IPAS; independent medical reviewers and UR entities; PBMs; vendors performing payroll services or data processing; vendors who administer COBRA, flexible benefit plans, dental or vision plans or certain disease management programs, and health insurance brokers and agents. Borzi noted that employees of a covered entity, such as employees who run a self-administered multi-employer plan, are not business associates. Employers and other plan sponsors (such as a board of trustees of a multiemployer plan) are not business associates either, nor is the union that represents workers covered under the group health plan. Covered entities must still come into compliance with the business associate rules by the compliance date of April 14, 2003. However, the privacy rules finalized in August created a new transition rule. If a covered entity had a contract or other written agreement with its business associate in place by October 15, 2002, and if that agreement is not renewed or modified between October 15, 2002 and the HIPAA compliance date of April 14, 2003, the business associate contract requirements would be effective on the earlier of the date of the contract renewal or modification or April 14, 2004. 4. What rules apply to fully insured group health plans? Under the privacy rules, a group health plan is not required to have a privacy officer, train its employees, establish a complaint mechanism, or have written privacy policies or procedures if the group health plan: � offers only HMO or fully insured benefits; � does not create or use PHI for plan administration or any other purpose; and � uses only summary or de-identified information for settlor purposes. 5. Do the privacy rules apply to agents and brokers? Borzi clarified that the privacy rules will apply to agents and brokers differently depending on who they are working for and where they are getting the PHI. For instance, agents and brokers who use and disclose PHI from group health plans to assist plan sponsors in obtaining insurance or reinsurance for the plan are business associates and need to enter into business associate agreements with the plan. On the other hand, agents and brokers who obtain individually identifiable information from covered individuals and assist them in their dealings with the group health plan must obtain an authorization from the individual if they are also going to obtain PHI from the plan. 6. How are health FSAs affected by the privacy rules? A health FSA is a covered entity, unless it is a small plan. Therefore, vendors that administer health FSAs are business associates and must form business associate agreements with the plan. Since health FSAs are often offered along with health plans, there may be some question as to whether information can be shared between the plans. Under �164.506 of the regulations, a covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to another covered entity that participates in the organized health care arrangement. Therefore, health plans can share PHI with FSAs if the use or disclosure is for payment or health care operations. 7. Do the privacy rules apply to workers’ compensation? Workers’ compensation carriers are not covered entities. PHI cannot be shared with workers’ compensation carriers unless: � the individual who is the subject of the PHI authorizes the disclosure, or � the disclosure is required by law and disclosure is limited to what the law requires. Borzi noted that not all states have mandatory disclosure laws relating to workers’ compensation, but covered entities that are in states that do have such laws will be permitted to disclose PHI, but only the amount required by that state’s law. 8. How do the privacy rules affect participant assistance? Borzi noted that the rules allow trustees, union business managers, and business agents to continue to assist participants who need help with benefit claims and appeals. Agents can always relay information about the participant to the group health plan, but the group health plan will not be able to share PHI with the agent without the authorization of the individual. The authorizations given in these instances must: � be specific (i.e., include the name of both parties, the right of the individual to revoke, etc.– blanket releases are no longer valid); � contain an expiration date; � be signed and dated by the individual; and � indicate that if disclosure is made to a non-covered entity, the PHI will no longer be protected. 9. Can PHI be disclosed to family members? As a general rule, PHI must be disclosed to the individual who is the subject of the PHI and can be disclosed to others only with the authorization of the individual or if the privacy rule permits it. There are no special rules allowing the disclosure of PHI to family members except in the case of a minor child or in the case of a medical emergency. In the case of a minor, parents are presumed to be the personal representatives of minor children with full access to and control of PHI of those children, except in the case where a minor can obtain a particular health service without parental consent. In addition, minors can request that covered entities restrict uses or disclosures for treatment, payment and health care operations. Borzi suggests that covered entities review their policies in this area. For instance, a group health plan will have to establish procedures for verifying the identity of a person calling for information and for dealing with inquiries from spouses, parents and providers. Plans should also review their policies for sending out explanation of benefits (EOBs). EOBs are often sent to the participant regardless of whether the participant or a dependent is the subject of the EOB. While this situation is not directly addressed in the rules, Borzi suggests that where the EOB contains medical information, the plan should send it to the patient, and not to the participant. 10. What are the duties of the privacy officer? Covered entities are required by the rules to designate a contact person or office to receive participant complaints and to provide further information about privacy policies and procedures and to document all complaints and their disposition. Covered entities must also train all members of their workforces on their privacy policies and procedures and document that such training took place. Finally, covered entities must ensure that they have adopted appropriate administrative, technical, and physical safeguards to protect PHI.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.