Employee Benefits Bulletin, June 2002
Summary of HIPAA Privacy Regulations
Compliance Deadlines are Approaching...Are You Ready?
Conceptual Overview
The Privacy Regulations treat group health plans as separate and distinct entities from the employer/plan sponsor of such plans, even though employees of a plan sponsor are usually working for both the group health plan and the plan sponsor. Under the Privacy Regulations, group health plans are required to protect the privacy of health information by, among other things, establishing certain administrative procedures and policies, amending plan documents if protected health information is distributed to plan sponsors, and entering into business associate contracts with service providers. These requirements apply to group health plans and not to employers/plan sponsors.
If employees of plan sponsors are using or disclosing protected health information from a group health plan, then such plan sponsor employees must do so pursuant to an amendment to the plan document and other requirements set forth in Section 164.504(f) of the Privacy Regulations (discussed below). Section 164.504(f) of the Privacy Regulations attempts to provide for a firewall between the group health plan and the plan sponsor.
However, because employees of the group health plan are usually employees of the plan sponsor, this summary describes the requirements under the Privacy Regulations for both the group health plan and the employer/plan sponsor.
Required and Permitted Disclosures by Covered Entities
The Privacy Regulations generally provide that Covered Entities may not use or disclose protected health information ("PHI"), except as expressly required or permitted by the Privacy Regulations. PHI is generally defined as individually identifiable health information that is transmitted or maintained by electronic media or is transmitted or maintained in any other form or medium. Individually identifiable health information is defined as health information that either actually identifies the individual or creates a reasonable basis to believe that the information would identify the individual. PHI remains protected during the life of the individual, and thereafter for as long as the Covered Entity maintains the information.
Covered Entities include a health plan, a health care provider and a health care clearinghouse. Plan sponsors, employers, and life, disability and workers' compensation insurers are not Covered Entities under the Privacy Regulations.
Covered Entities are required to disclose PHI regarding an individual only (1) to the individual who is the subject of the PHI when the individual requests it, and (2) to the Secretary of Health and Human Services when the Secretary is investigating a complaint or determining a Covered Entity's compliance with the Privacy Regulations.
In general, the Privacy Regulations permit Covered Entities to use or disclose PHI for treatment, payment or health care operations ("TPO"), unless the Covered Entity is a health care provider. If the Covered Entity is a health care provider, then the health care provider must obtain the individual's consent to use or disclose PHI for TPO.
Unless otherwise specified in the Privacy Regulations, a Covered Entity may only use or disclose PHI for purposes other than TPO when it receives a valid authorization by the individual in the form prescribed by the Privacy Regulations. Any use or disclosure must be consistent with that valid authorization.
Furthermore, if the Covered Entity is authorized to use or disclose PHI, the Covered Entity must make reasonable efforts to limit PHI to the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure. For routine uses of information, the Privacy Regulations permit the Covered Entity to adopt general procedures for determining what is the minimum necessary information and to apply the general procedures to those uses or disclosures. If such general procedures are adopted by the Covered Entity, then individualized determinations of minimum necessary will be required only in specialized instances.
Special Disclosure Rules for Disclosure to Employers and Plan Sponsors
The Privacy Regulations provide special disclosure rules for disclosures of PHI to employers and plan sponsors of group health plans. The Privacy Regulations specifically permit the group health plan to provide summary health information to the plan sponsor of the group health plan for the purposes of obtaining premium bids for health insurance coverage or of modifying or terminating the group health plan. The group health plan may also provide information about an individual's enrollment in or disenrollment from the group health plan. If the plan sponsor only receives summary health information and enrollment information, then the special requirements of Section 164.504(f) of the Privacy Regulations do not apply.
Additionally, the plan sponsor may always receive de-identified information from its group health plan without meeting the special requirements of Section 164.504(f) of the Privacy Regulations. De-identified information is PHI that has been stripped of all identifying data which might enable someone to recognize the individual who is the subject of the information.
If a plan sponsor desires to have access to information from the group health plan other than summary health information, enrollment information and de-identified information, then the requirements of Section 164.504(f) must be met. Generally, before plan sponsors can have access to PHI held by group health plans, the group health plan documents must be amended to identify which employees or groups of employees of the plan sponsor will have access to the PHI and the purposes for which PHI will be used. If those employees perform other functions for the plan sponsor, the plan sponsor will have to establish firewalls to assure that PHI is not used by those employees to perform other non-group health plan functions (such as employment-related activities or activities related to other employee benefits or benefit plans the employer sponsors). The plan sponsor must then certify to the group health plan that plan documents have been amended to comply with the Privacy Regulations.
The amendments to the plan documents must be amended to incorporate provisions to:
- Establish and describe how PHI will be used by the plan sponsor;
- Identify those employees or classes of employees who will have access to PHI and under what circumstances this access will be permitted;
- Establish an effective mechanism for resolving any issues of non-compliance; and
- Provide that the group health plan will only disclose PHI to the plan sponsor upon receipt of a certification that the plan documents have been amended to incorporate the agreement of the plan sponsor.
The plan sponsor certification to the group health plan must reflect the plan sponsor's agreement:
- Not to use or further disclose PHI other than as permitted or required by the plan documents or as required by law;
- To ensure that any agents or subcontractors to whom it provides PHI will also abide by the same restrictions that apply to the plan sponsor;
- Not to use or disclose the information for employment-related actions or decisions or in connection with any other non-group health employee benefit plan of the plan sponsor;
- To report to the group health plan any use or disclosure of information that is inconsistent with the permitted uses or disclosures of which the plan sponsor becomes aware;
- Make PHI available consistent with Section 164.524 (relating to an individual's access to his or her own PHI) and Section 164.526 (relating to the ability of the individual to amend and correct his own PHI);
- Make available the information required to fulfill the accounting of disclosures requirements of Section 164.528;
- Make its internal practices, books and records relating to the use or disclosure of PHI available to the Secretary of HHS for audit purposes;
- If feasible, return or destroy all PHI received from the group health plan that the plan sponsor retains in any form when no longer needed for the purpose for which the disclosure was made; and
- Ensure that adequate separation between the group health plan and plan sponsor exists to assure confidentiality of PHI.
Special Disclosure Rules for Disclosures to Business Associates
The Privacy Regulations also provide special disclosure rules for transactions between Covered Entities and their business associates. Business associates are defined as those persons who perform or assist in the performance by a Covered Entity of a function or activity involving the use or disclosure of PHI or those persons who provide certain services to or on behalf of the Covered Entity, including legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.
Generally, Covered Entities may only share PHI with business associates pursuant to a contract that limits the use and disclosure of PHI under the same restrictions that apply to the Covered Entity. A contract between a Covered Entity and its business associate must meet the requirements of Section 164.504(e)(2) or (e)(3) of the Privacy Regulations. The Privacy Regulations provide that the business associate contract must, among other things:
- Set out the permitted and required uses and disclosures of PHI by the business associate;
- Provide that the business associate will: (1) not use or further disclose PHI except as permitted by the Privacy Regulations; (2) use appropriate safeguards to assure the proper use of PHI; (3) report to the Covered Entity any inappropriate or non-contractually agreed upon use of PHI of which it becomes aware; (4) ensure that its employees, agents, and subcontractors agree to the same restrictions that are imposed on the business associate; and (5) permit the Secretary of HHS access for audit purposes to its internal practices, books and records relating to the use or disclosure of PHI.
Individual Rights
The Privacy Regulations provide that individuals have a right to:
- Inspect and obtain a copy of all PHI relating to the individual;
- Amend and/or correct that PHI;
- With certain exceptions, an accounting of the uses and disclosure of their PHI (other than TPO) - this right applies to disclosures made in the six year period prior to the request for an accounting (but not before April 14, 2003).
- Notice and a full description of the Covered Entity's use and disclosure practices; and
- Challenge the Covered Entity's use or disclosure of PHI through complaints to (1) the Covered Entity and (2) the Secretary of HHS.
Administrative Requirements for Covered Entities
Under the Privacy Regulations, Covered Entities must:
- Designate a privacy official;
- Develop a privacy training program for employees;
- Implement safeguards to protect PHI from intentional or accidental disclosure or misuse;
- Provide a complaint mechanism for individuals to challenge the use or disclosure of health information;
- Develop sanctions for employees or business partners who violate the covered entity's privacy policy or procedures;
- Mitigate any harm that might occur from improper disclosure;
- Not require individuals to waive their privacy rights under the regulation as a condition of enrolling in the health plan, eligibility for benefits, treatment, or payment; and
- Maintain documentation of the Covered Entity's policy or procedures for complying with the regulation.
Enforcement
The Secretary of HHS can bring enforcement actions against Covered Entities. The Secretary may impose civil monetary penalties of not more than $100 per person per violation and up to $25,000 for violations of a single standard within a single calendar year. Additionally, criminal penalties of fines of not more than $50,000 and/or imprisonment for not more than one year. The Privacy Regulations do not provide for a private right of action for wrongful disclosures of PHI.
Effective Date
Covered Entities must be in compliance not later than April 14, 2003 (April 14, 2004 for small health plans). On March 27, 2002, HHS proposed modifications to the HIPAA Privacy Regulations. We will keep you updated if and when any of these proposed modifications are to become effective.
For more information on the HIPAA privacy regulations and requirements, contact Nancy Bolyard.
Back to Newsletter home
