Nixon & Lindstrom Insurance

HIPAA PRIVACY FOR EMPLOYERS
A Comprehensive Introduction Section Two

SECTION TWO: EMPLOYERS/PLAN SPONSORS AND GROUP HEALTH PLANS

The final privacy regulation is applicable to covered entities, which are defined as health plans, health care clearing houses and health care providers who conduct certain financial and administrative transactions electronically. Employers or plan sponsors who provide health plans are NOT covered entities but the group health plans they establish for their employees are covered entities. Group health plans are covered entities under HIPAA and are defined as "an individual or group plan that provides, or pays the cost of, medical care". This definition includes the following:

Group health plan- an employee welfare benefit plan including insured and self-funded plans established by the plan sponsor that provides for medical care benefits and that either has 50 or more participants or is administered by another business entity. The benefits can be fully insured by a health insurance carrier or administered by an external nonaffiliated third party (such as a third part administrator);
Employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers;
Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care;

An insurer, but only when actually providing group health insurance and not simply acting as a third-party administrator;

An HMO

WHAT DOES HIPAA PRIVACY MEAN TO GROUP HEALTH PLANS?

The HIPAA privacy regulations will significantly affect group health plans. The degree of this impact will greatly depend on whether the group health plan is fully insured or self-funded for its health care benefits. Another variable affecting the impact of HIPAA compliance on groups is the amount of PHI that the group health plan elects to receive.

What Does Noncompliance Mean?

Group health plans would be aware that not complying with the regulation could mean both civil and criminal penalties. (Please refer to the previous section on accountability for details on the potential penalties for noncompliance.) With these types of consequences at stake, group health plans must familiarize themselves with the privacy regulation and how they can become compliant.

Are Groups Subject to the HIPAA Privacy Regulation?

Most group health plans (except self-sd ministered group health plans with less that 50 participants and certain government-funded plans) are covered entities as defined by the privacy regulation. There is no distinction in the definition of group he lath plan between insured groups and self-funded groups. Therefore, group health plans are subject to the privacy regulation. However, the regulations include exceptions that allow groups, under certain circumstances, to both limit their exposure to the penalties for noncompliance mentioned above and reduce the level of effort needed to comply.

Strategy for Compliance

The first step is for the group health plan to determine its insurance status as either fully insured or self-funded. While there is no distinction in the definition of group health plan between fully insured and self-funded groups, there is a difference in what a group must do to comply based on its insured status.

The next step is to determine how important it is for the group health plan to receive PHI. The following information will assist each group health plan in analyzing what it needs to do to comply with the privacy regulations.

FULLY INSURED GROUP HEALTH PLANS

Fully insured plans that have access to PHI (other than enrollment/disenrollment and eligibility data and summary health information) must fully comply with all the following provisions of the privacy regulations:

Develop and implement privacy policies and procedures.
Furnish a Notice of Privacy Practices to its members.
Appoint a privacy official and establish a contact office.
Train employees on their privacy policies and procedures and establish sanctions for violations.
Implement data privacy and security safeguards.
Develop a mitigation plan in the event of privacy breaches.
Establish a complaint process for members.
Allow for access, copying and requests for amendment of PHI.
Provide for an accounting of disclosures to their members upon request.
Retain compliance documentation for six years.

Important Exception: If a fully insured group health plan elects to only receive summary health information, it will fall under the insurer's HIPAA privacy umbrella. Summary health information is PHI that summarizes claims history, claims expenses or types of claims experience by enrollees for whom the plan sponsor has provided health benefits under the group health plan and is stripped of all individual identifiers, but it is not necessarily fully de-identified as defined by the privacy regulation. The level of effort required to comply with the privacy regulations will be significantly reduced as indicated below:

No HIPAA-specific privacy policies and procedures required;
No Notice of Privacy Practices to distribute or maintain;
No requirement to appoint a privacy official and establish a contact office;
No employee privacy training or sanctions required;
No HIPAA-specific data privacy and security safeguards required;
No HIPAA-specific complaint process required;
No requirement to allow members to access, copy or request to amend their PHI;
No requirement to provide enrollees with an accounting of disclosures;
Must only retain any plan document amendments for six years.

If fully insured group health plans elect not to receive PHI, and elect instead to receive only summary health information, they should formally document this decision and modify any of their existing practices that involve greater use of PHI.

SELF-INSURED GROUP HEALTH PLANS

Fully and partially self-funded group health plans are not granted the same exceptions for compliance with the HIPAA privacy regulations as those available to fully insured group health plans. This means that the self-funded group health plan must fully comply with all provisions of the privacy regulations that were outlined above for fully insured group health plans that elect to receive PHI. However, even though they must comply with all provisions of the regulation as outlined above, self-funded group health plans may be able to reduce the actual amount of administrative work they must do by limiting the amount of PHI that their employees use or disclose.

A self-funded group health plan can do this by hiring a third-party administrator to administer its benefits and electing to only receive enrollment or eligibility data and summary health information. Because many of the administrative requirements of the regulations can be included in a business associate contract between the group health plan and the third-party administrator (provide access and amendment, account for disclosures, safeguard the PHI, provide access to books and records, etc.), the administrative burden for such a group to comply with the regulations is less than if the group receives PHI on individual members and the treatment they receive.

GROUP HEALTH PLANS AND THEIR BUSINESS ASSOCIATES

When group health plans have taken the necessary steps to become HIPAA compliant based on their fully insure or self-funded status as well as the amount of the PHI they elect to receive or create, they must then ensure that their business associates are HIPAA compliant as well. A business associate is an external nonaffiliated third party that the covered entity contracts with to perform a covered function(s) on its behalf involving the use or disclosure of PHI. For example, an insurer that provides third-party administration for a self-funded plan is the business associate of the self-funded plan.

Group health plans that share PHI with their business associates must obtain "satisfactory assurance" that their business associates will safeguard their enrollees' PHI. This is accomplished by executing a written contract or contract amendment with its business associates, which contractually obligates the business associates to protect the PHI they create, use or disclose. Therefore, the business associate contracts must specify that the business associate:

Must use and disclose PHI only as permitted by the contract with the group health plan and consistent with the privacy regulations;
Must implement data privacy and security safeguards;
Must ensure any agents or subcontractors they employ to help fulfill their contract obligations to the group health plan adhere to the same restrictions;
Must provide enrollees with access, amendment and disclosure accounting upon request;
Must report improper use or disclosure of PHI to the group health plan;
Must make its books and records available to the Department of Health and Human Services upon request;
Must return or destroy PHI at the end of the contract if feasible to do so. If not feasible, the business associate must ensure that no improper use or disclosure of PHI occurs.

IMPACT OF HIPAA ON DISCLOSURES TO PLAN SPONSORS

The privacy regulations have a significant impact on the information that can be made available to a plan sponsor. The plan sponsor is usually the employer. The plan sponsor is the legal entity that establishes and maintains the group health plan. The plan sponsor can be a employer, a union, a joint board of trustees or other similar group. Plan sponsors are not covered entities under HIPAA.

More specifically, the group health plan (and the insurer that services it) may not disclose their enrollees' PHI to the employer or plan sponsor. However, the plan sponsor may receive summary health information from the group health plan or the insurer for obtaining bids on the plan's health insurance coverage or for the purpose of modifying, amending or terminating the health plan. As described earlier, summary health information is PHI that summarizes claims history, claims expenses or types of claims experience by enrollees for whom the plan sponsor has provided health benefits under the group health plan and is stripped of all individual identifiers but is not necessarily fully de-identified as defined by the privacy regulation.

There is an exception to the prohibition of making PHI available to the plan sponsor when the plan sponsor performs "plan administrative functions" for the group health plan (such as case management, utilization review, overpayment recovery, reimbursement, benefits administration, etc.). If this is the case, the group health plan or insurer may disclose PHI to the plan sponsor for such plan administration purposes only if the plan documents are amended to include the following provisions:

The PHI must be safeguarded per the requirements of the privacy regulation.
The plan sponsor employees who are given access to the PHI must be described.
Employee access to and use of PHI must be restricted to the specific plan administrative functions involved.
No use or disclosure to make employment decisions or in conjunction with the plan sponsor's other employee benefit plans is allowed.
All agents and subcontractors must adhere to the same restrictions as the plan sponsor on use and disclosure of PHI.
Enrollees must be provided the right to access, copy, amend and receive an accounting of disclosures upon request.
PHI must be returned to the group health plan or insurer when no longer needed or else the plan sponsor must ensure that there is no improper use of disclosure of the PHI.
Procedures must be defined for resolving issues of noncompliance.

The group health plan or insurer must disclose only the minimum amount of PHI necessary to accomplish the plan administrative function(s) to be performed by the plan sponsor. The group health plan or insurer can rely on the plan sponsor's certification that the plan documents have been properly amended, and they are not required to review the actual documents themselves.

Back to HIPAA Table of Contents