HIPAA Privacy Issues for Employers Who Sponsor Group Health Plans
October 2002
What are the HIPAA privacy rules?
The recently adopted HIPAA privacy rules (45 CFR Parts 160 and 164, 67 Fed. Reg. 53182 August 14, 2002) were issued pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA). Employers are already familiar with the portability provisions of Title I of HIPAA governing pre-existing condition exclusions, special enrollment and health nondiscrimination rules that have been in effect for several years. The Administrative Simplification provisions were designed to improve the efficiency of the health care system and to facilitate the electronic exchange of information among health plans, health care clearinghouses and health care providers, while at the same time securing such information and keeping it private.
The privacy rules provide guidelines for safeguarding the use and disclosure of individually identifiable health information and place certain requirements on "covered entities" that use or disclose "protected health information" (PHI). The general HIPAA privacy rule is that covered entities may not use or disclose PHI except as authorized by the individual who is the subject of the information or as explicitly required or permitted by the regulations. When the use or disclosure of PHI is permitted, in most circumstances, only the minimum necessary amount of PHI needed to accomplish the intended purpose of the use or disclosure may be provided.
As an employer, am I subject to the HIPAA privacy rules?
Covered entities are subject to the HIPAA privacy rules. Covered entities are defined as health plans, health care providers conducting certain electronic transactions and health care clearinghouses. While employers are technically not subject to the HIPAA privacy rule, ERISA group health plans sponsored by employers are covered entities. Often the only tangible evidence of an ERISA group health plan is the plan document, summary plan description or contractual agreements governing the operation and administration of the plan. Accordingly, the employer must act on behalf of the ERISA group health plan in fulfilling its compliance obligations under the HIPAA privacy rules.
What is the effective date of the HIPAA privacy rules?
The rules are generally effective April 14, 2003. Small group health plans, i.e., those with annual receipts of $5 million dollars or less, have an additional year to comply, until April 14, 2004. The Centers for Medicare and Medicaid Services (CMS) has issued guidance on how to determine annual receipts for this purpose. Generally, for fully insured health plans, total premiums paid for health benefits should be used. For self-insured health plans, the total amount paid in health care claims should be used. Plans that are partially insured and partially self-insured can use a combination of premiums and claims.
What types of group health plans are covered entities under the HIPAA privacy rule?
Almost all types of group health plans are covered entities, including medical, dental, vision, prescription drug, health care flexible spending account plans and certain employee assistance programs, provided they have at least 50 participants or are administered by someone other than the employer. Long-term disability plans, short-term disability plans, life insurance plans, stop-loss insurance and workers’ compensation plans are not covered entities under the HIPAA privacy rules.
What is protected health information?
Protected health information, or PHI, is defined as individually identifiable health information that is transmitted or maintained electronically or in any other form or medium. Individually identifiable health information is information that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school, university or health care clearinghouse that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual and identifies the individual or creates a reasonable basis to believe that the information would identify the individual.
Health information containing any of the following identifiers of the individual, or of relatives, employers or household members of the individual, would be considered PHI under the regulations: name, address, any date directly related to the individual (e.g., birth date, treatment date, discharge date) Social Security number, medical record number, health plan benefit number, telephone or fax number, account number, vehicle identification number or license plate number, e-mail address, account numbers and any other individually identifying number, characteristic or code. PHI does not include employment records, i.e. records that are not maintained or created by the group health plan.
How can a covered entity use or disclose protected health information under the privacy rule?
A covered entity may only use or disclose PHI with the authorization of the individual or as explicitly permitted or required by the regulations. Health plans may use or disclose PHI for treatment, payment or health care operations without the individual’s consent or authorization. The term "treatment" includes the provision, coordination and management of health care. The term "payment" refers to such things as eligibility or coverage determinations, claims review, utilization review, coordination of benefits and medical necessity determinations. "Health care operations" refers to certain services or activities necessary to carry out the covered functions of the health plan, such as business planning and development, underwriting and premium rating review, auditing claims for plan benefits and the exchange of PHI in connection with certain business transactions.
A group health plan may also use or disclose PHI in specific situations. For example, a group health plan may disclose PHI to a health care provider for purposes of treatment or to another covered entity for purposes of payment or certain types of health care operations. In addition, a group health plan can disclose an individual’s PHI to the individual or with the express authorization from the individual that meets certain requirements. A group health plan may also use or disclose de-identified health information and when otherwise permitted or required by law for reasons such as public health and safety and law enforcement.
What is the minimum necessary rule?
A group health plan must make reasonable efforts to limit PHI use and disclosure to only the minimum use or disclosure necessary to accomplish the intended purpose of such use or disclosure. This requirement is met, in part, by limiting the number and classes of people who have access to PHI and by limiting the type and amount of information that is used or disclosed. This requirement does not apply to use and disclosure authorized by the individual, use and disclosure to the individual and use and disclosure required by law.
Can the group health plan disclose PHI to its vendors, such as record keepers, third-party administrators and auditors?
Entities that carry out plan administration functions on behalf of the group health plan are known as "business associates." A business associate is a person or entity who performs a function or activity involving the use or disclosure of PHI for or on behalf of a covered entity, such as third-party administrators, consultants, lawyers and auditors. A group health plan may disclose PHI to a "business associate" only with satisfactory assurance from the business associate that the PHI will be properly protected.
What requirements have to be met in order for the group health plan to disclose PHI to its business associates?
The plan and business associate must enter into a written agreement where the business associate promises the following:
- The business associate will only use PHI as permitted under the agreement or required by law, will establish appropriate safeguards to prevent impermissible use or disclosure of PHI and will report known misuse of PHI by the business associate to the plan.
- The business associate must impose the same requirements on its subcontractors and agents.
- The business associate must agree to make an accounting of disclosures of PHI available to individuals in the group health plan and create internal policies and procedures relating to the use and disclosure of PHI, which must be available to HHS upon request.
- The business associate agreement must provide that upon termination, the business associate, if feasible, will return or destroy all PHI or extend the protections of the business associate contract to the information and limit further disclosures or uses to purposes that make the return or destruction infeasible.
A violation of the HIPAA privacy regulations by the business associate will be considered noncompliance by the group health plan only if the plan knew of the breach and failed to take reasonable steps to cure the breach or terminate the business associate contract.
If the employer and business associate have a written agreement as of October 15, 2002, the business associate contract provisions do not have to be entered into until the earlier of April 14, 2004, or the date the contract is otherwise amended. However, the group heath plan must still comply with the individual rights requirements of the HIPAA privacy rules with respect to PHI held by the business associate.
Can the group health plan disclose PHI to the employer?
It depends on whether the employer is acting in its capacity as "plan sponsor" of the group health plan or as the employer for employment related purposes.
Plan sponsors may obtain summary health information from the group health plan for purposes of obtaining premium bids, to modify, amend or terminate the plan or for eligibility and enrollment determinations. Summary health information summarizes claims history, claims expenses or types of claims experienced by individuals for whom the plan sponsor has provided benefits and is stripped of individually identifiable information. In all other cases, in order for the group health plan to disclose PHI to the plan sponsor, the individual must authorize the disclosure, or if the disclosure is for plan administration purposes, the plan sponsor must amend the plan document to provide for such disclosures.
In order for the employer to obtain PHI from the group health plan for employment related activities, the employer must obtain an authorization from the individual.
What are the requirements for the group health plan to disclose PHI to the plan sponsor for plan administration purposes?
The employer sponsor of a group health plan often is also the plan administrator, i.e. the fiduciary named in the written document establishing the plan, which has the ultimate legal responsibility for the proper operation and administration of the plan. In that case, the employer may require plan participants’ PHI in certain instances in order to fulfill its responsibilities for plan administration. Because sponsors of group health plans are not covered entities, a plan may disclose PHI to a plan sponsor only if the following requirements are met:
- The plan document must be amended to identify those employees of the plan sponsor who will have access to PHI and the purposes for which PHI will be used.
- The plan sponsor must certify to the plan that the plan documents have been amended to comply with the regulations, and the plan sponsor will act in accordance with the regulations.
- The plan sponsor cannot use or disclose PHI for employment-related actions or decisions or in connection with any other benefit or benefit plan of the plan sponsor.
- The plan sponsor must establish separation between the plan and the plan sponsor. This involves identifying those employees who will have access to PHI and restricting access to and use of PHI by such employees.
Furthermore, the plan sponsor must agree to make an accounting of disclosures of PHI available to individuals in the group health plan and create internal policies and procedures relating to the use and disclosure of PHI, which must be available to HHS upon request. To be compliant, the plan sponsor must also provide a mechanism for resolving noncompliance with the HIPAA privacy regulations.
As the employer sponsor of the group health plan do I have to receive PHI? If I don’t receive PHI, do I still have to comply with these requirements?
This depends on whether your plan is fully insured or self-funded. If your plan is fully insured, you can choose not to receive PHI and then your only obligations are to refrain from retaliatory or intimidating acts if one of your employees seeks to exercise his or her rights under the privacy rules; not to require employees to waive their rights under the regulations; and obtain an authorization from the individual if you find you need access to that individual’s PHI. (Authorizations have certain elements that are required by the regulations. You may want to request an authorization form from the HMO or insurer to ensure they will accept the form you provide.) If your plan is self-funded, in order to administer your plan, you will need access to PHI (e.g., to fund claims); therefore, the employer sponsor will need to comply with all of the requirements.
Do plan participants have any rights under the HIPAA privacy rules?
Individuals have certain rights under the privacy rules with regard to their own PHI. An individual can request access to and obtain copies of his or her PHI, request that the group health plan amend his or her PHI, request an accounting of disclosures of his or her PHI or restrict the use and disclosure of his or her PHI. In addition, the group health plan must adopt and document its policies and procedures with respect to individual rights under the HIPAA privacy rules.
As an employer, am I required to give any notice to my employees about the HIPAA privacy rules?
This depends on whether your plan is self-insured or fully insured.
Employers who sponsor self-insured group health plans must provide plan participants with a notice regarding the plan’s uses and disclosures of PHI, the individual’s privacy rights and the plan’s legal duties regarding PHI. Self-insured plans must maintain and provide the notice as required by the privacy rule to plan participants and beneficiaries. The notice must be provided by April 14, 2003, (for most plans) to all current participants. Thereafter, the notice must be provided as of the enrollment date to new participants, within 60 days of any material revision to the notice and upon request. The notice must separately describe each use and disclosure the plan makes of PHI, and it must provide that the plan will disclose PHI to the plan sponsor. The notice must also be posted on any websites the employer uses for purposes of administering its benefit plans.
For fully insured plans, the HMO or health insurance issuer must provide plan participants with a notice regarding the plan’s uses and disclosures of PHI, their individual privacy rights and the plan’s legal duties regarding PHI. The notice must be provided in accordance with the privacy regulations.
What actions do I need to take in order to be in compliance with the HIPAA privacy rules?
Employers should begin taking steps to implement the new regulations as soon as possible in order to be in compliance by April 14, 2003. The following is a partial list of items that group health plans must complete to be compliant with the HIPAA privacy regulations:
- Establish a privacy committee and appoint a privacy officer.
- Perform an audit of current uses and disclosure of PHI and identify who has contact with PHI.
- Review and amend vendor contracts and enter into agreements with business associates.
- Establish policies and procedures for complying with the HIPAA privacy regulations and develop authorization forms and individual notices. Policies are required for routine use and disclosure of PHI, minimum necessary requirements, individual authorization, de-identification of PHI, employee training and sanctions, record retention and security. Procedures are required to obtain authorizations, to enforce individual rights and to handle complaints and for developing, maintaining and distributing the privacy notice.
- Conduct training of employees and establish firewalls between the employer and group health plan.
- Amend the group health plan and summary plan description to permit use and disclosure of PHI. Provide a certification that this amendment has been made to the group health plan and/or HMO/insurer.
Can employers still obtain health information when performing employment-related functions such as return-to-work physicals, drug testing, FMLA determinations, workers' compensation administration, disability assessment, etc.?
As long as the employer does not obtain, use or share any information maintained by the group health plan in connection with employment-related functions, the employer may continue to collect and use health information in connection with such programs. It is important, however, for the employer to establish firewalls between those members of the workforce involved in administration of the group health plan and members of the workforce involved in employment-related functions as well as to adequately train individuals on the employers privacy practices and procedures under the HIPAA privacy rules.
Can I integrate my disability and workers compensation programs with my health plan?
Because disability plans and workers compensation programs are not covered entities for purposes of the HIPA privacy rules, a group health plan cannot disclose PHI to such plans or programs without authorization from the individual. Employers who wish to continue to integrate such programs after the effective date of the HIPAA privacy rules must obtain an individual’s authorization as part of the application for disability or workers compensation benefits.
Are employers required to make any governmental filings in connection with HIPAA compliance?
Major components of the Administrative Simplification rules are the standards for the electronic transaction of health information and medical code set rules. These standards govern the ways in which covered entities communicate electronically with one another regarding health care transactions. While employers are not required to transmit data to their group health plans or vendors in the standard formats, group health plan are required to use the standard formats in conducting transactions such as claims reporting, eligibility and enrollment, coordination of benefits, premium payment, etc. These rules were originally effective October 16, 2002. However, pursuant to the Administrative Simplification Compliance Act, an employer may apply for a one-year extension of the rules on behalf of the group health plan, to October 16, 2003. In order to be eligible for the extension, the employer must file a compliance implementation plan with the Center for Medicare and Medicaid Services (CMS) on or before October 15, 2002. Extensions can be applied for directly on CMS’ website at http://www.cms.hhs.gov/hipaa/hippa2/ascaform.asp
What are the penalties for noncompliance with the HIPAA privacy rules?
Employers should begin taking steps to implement the requirements under the new regulations as soon as possible in order to be in compliance by the general effective date of April 14, 2003. The privacy regulations impose substantial penalties for noncompliance. The civil penalty is up to $100 per person per violation, with a maximum of $25,000 per person for the violation of a single rule in a calendar year. The U.S. Department of Health and Human Services (HHS) may also impose criminal penalties for the knowing misuse of PHI. Criminal penalties are subject to a maximum of $50,000 and/or one year in prison. Finally, other penalties may apply for the sale of PHI or the use of PHI under false pretenses. These penalties are subject to a maximum of $250,000 and/or 10 years in prison.
HHS has stated that penalties will be based on the harm to the individual for noncompliance as well as the willingness of the group health plan to become compliant. Under the regulations, HHS is authorized to conduct compliance reviews of covered entities and to investigate complaints regarding the improper use and disclosure of PHI. The regulations do not specifically empower employees and patients with a right to sue a covered entity for the improper use or disclosure of PHI. State laws, however, may provide individuals with such a right. Generally, state laws that do not conflict with the federal rules are not preempted by the HIPAA privacy regulations.
