The American Bar Association’s Joint Committee on Employee
Benefits has posted its report of its annual question and answer session with
representatives from HHS’s Office for Civil Rights (OCR).
The following are some excerpts from the Q&A session between
the Department of Health and Human Services and the Joint Committee on Employee
Benefits. For those employers or Third
Party Administrators (TPAs) offering participants health risk assessments
(HRAs) or electronic personal health records (PHRs) you should be aware of the
opinions of the OCR on whether certain scenarios would violate the HIPAA
Privacy rules.
Question 3: If an individual executes a valid HIPAA
authorization with a specified expiration date and subsequently dies before the
expiration date, how does that affect the validity of the authorization? If no expiration date is specified, does that
change the result? If the individual no
longer has the ability to revoke the authorization (because they are deceased)
is the scope of the authorization altered?
Has HHS made any efforts to coordinate state laws that may control this
issue?
Proposed Answer 3:
the Privacy Rule required that an Authorization contain either an expiration
date or an expiration event that related to the individual or the purpose of
the use or disclosure. 45 C.F.R. 164.508©(1)(v). An Authorization remains valid until its
expiration date or event, unless effectively revoked in writing by the
individual before that date or event. In
the case of a deceased participant, an executor or personal representative
could revoke the authorization in writing. The death of a participant does not by itself limit the scope of an authorization. The fact that the expiration date on an Authorization may exceed a time period established by State law does not invalidate the Authorization under the Privacy Rule, but a more restrictive State law would control how long the Authorization is effective.
Answer 3: OCR agreed with the answer, and stated that
the authorization remains valid unless it expires or is revoked. A state law could impact this outcome, but
the state law would have to be evaluated along with the specific facts of the
case. Except for specific cases
(investigations or enforcement actions) or in addressing requests for
preemption exception determinations, OCR does not make determinations as to the
application of a state law.
Question 4: May a self-insured employer discipline an
employee based on enrollment information that shows that an employee has
improperly enrolled a dependent in the employer’s health plan (e.g., ineligible
ex-spouses, ineligible children above a specific age who are not college
students, etc.)?
Proposed Answer 4: In 2005, this group discussed the extent to
which a group health plan could audit claims data and if the plan discovered
evidence that an individual had committed a claims fraud under the plan, that
data could be used for purposes of terminating the individual’s coverage under
the plan. At that time, HHS/OCR representatives opined that it would be very
difficult for an employer to use any evidence of the fraud to discipline the
employee without running afoul of the Privacy Rule, since the claims data is, by
its nature, Protected Health Information (PHI).
(The discussion regarding audits is reports in Q&A-5, at www.abanet.org/jceb/2005/qa05hhs.pdf.) However, that question only addressed claims
data, not enrollment data.
The preamble to the 2002 modification to the Privacy Rule
states that indivudally identifiable health information received or created by
the group health plan for enrollment purposes is PHI under the Privacy
Rule. 67 Fed.Reg. 53181, 53208 (Aug. 14,
2002). Therefore, when enrollment
information is transferred by an employer to the group health plan, it becomes
PHI.
An employer may discipline an employee who improperly
enrolls a dependent in the employer’s group health plan without violating the
Privacy Rule, provided that the employer takes such action without regard to
any claims data or other PHI (other than PHI that is enrollment information)
that it holds with respect to the employee or dependent.
Answer 4: the Privacy Rule regulates the conduct of
covered entities, not of employers acting in their employment capacity. An employer’s disciplining of an employee
could, on the other hand, violate the amended plan documents and the plan
sponsor’s certification pursuant to 45 C.F.R. 164.504(f)(2)(ii). OCR distinguished between information
obtained by an employer under the enrollment provision in 45 C.F.R. 164.504
(f)(1)(iii), and information obtained through a plan administration
activity. If the employer as a plan
sponsor ahs taken responsibility for enrollment and eligibility, then
information that the plan sponsor obtains from the Group Health Plan (GHP)
regarding whether an individual is participating in the GHP is not subject to
the plan document restriction on the sponsor’s use of that information. In order for the plan sponsor to obtain
claims information, it must amend its plan document and agree not to use or
disclose it for employment-related activities (including disciplining an
employee).
Question 6: There
has been much discussion in the trade press regarding electronic personal
health records (PHR). Many of these
discussions concern health care providers establishing and maintaining the
PHR. PHR arrangements also are provided
by employer-sponsored plans through full-insured arrangements with a health
insurance carrier. Assume a plan
contracts with a health insurance carrier to provide fully-insured group health
benefits. The coverage also includes a
free service provided by the carrier to provide employees with electronic
personal health records (PHR). Although
the carrier and a data storage company provide the service, it is part of the
group health benefit provided by the group health plan. For employees that wish to participate,
claims and other health information such as lab results will be stored and sent
to a data management service so that participants may start to keep a personal
electronic health record. The plan has
no access to any of the information in order to administer the service. Must the plan execute a business associate
agreement with the insurance carrier in order for the carrier to access PHI for
this purpose? Is the plan required to
disclose the arrangement in its Notice of Privacy Practices?
Proposed Answer 6:
The group health plan is not required to have a business associate agreement
with the carrier where the service is offered through a fully-insured
arrangement. See generally, 45 C.F.R.
164.506©(5). The carrier itself is a
covered entity under HIPAA, is responsible for complying with HIPAA, and is
required to have a business associate agreement with the data storage company.
A general description of the arrangement should be included
in the Notice of Privacy Practices.
However, the health insurance carrier, not the plan, is responsible for
providing the Notice. 45 C.F.R. 164.520.
Answer 6: OCR
agreed that no business associate agreement is required between the plan and
the carrier. The carrier would be
responsible for providing the Notice of
Privacy Practices. They noted
that the disclosure in question generally falls into the definition of “health
care operations.” The requirements for
the Notice of Privacy Practices do not require an example for every type of
disclosure, so a general description of this specific arrangement is not necessarily
required, although it may be a prudent thing to do.
Questions7:
Recently, health plans, specifically employer-sponsored self insured group
health plans, have started to provide PHRs for their employees and dependents
who participate in the health plan.
These PHRs are typically accessible from a secure website using a
specific user name and password. In
addition, one vendor’s particular type of PHR automatically integrates with a
health plan’s third party claims administrators, so that when a participant
goes to a physician and that physician files a claim with the third party claim
administrator, the claims administrator will transmit a copy of the claim to
the PHR vendor, and the PHR vendor will then automatically upload the claim
into the participant’s PHR. The PHR and
the automatic update process are provided for all participants without their
request. However, in order to access the PHR, the participant must sign on to
the secure website to view the PHR. If a
participant did not want an PHR for some reason, the participant would not be
required to view the PHR on the secure website, but it would still be resident
in the PHR vendor’s computer system in case the participant changed his or her
mind in the future. The PHR is not removed
from the computer system, because if it was, then the participant’s PHR would
not automatically update. If the
participant changed his or her mind in the future and wanted the PHR, the PHR
would then not contain any updates and would need to be started from
scratch. Because PHR’s are provided
without the consent of the participant or spouse, does this violate the HIPAA
privacy rules?
Proposed Answer 7:
No. Assuming all of the appropriate
business associate contracts are in place, a PHR provided by a health plan is
part of the health plan’s health care operations activities, and can be created
and updated without the consent of the individual who is the subject of the
PHR.
Answer 7: OCR
agreed with the proposed response and state that the provision of a PHR is part of the health care operations, and
individual consent or authorization is not needed. Going forward when discussing the development
of PHRs in the context of the framework enunciated by the American Health
Information Community (AHIC), there is envisioned a heightened degree of
consumer control in regard to an individual’s PHR. In addition, OCR cautioned that, as the
industry moves towards connectivity and interoperability of individual’s health
information, it is envisioned that such a system would incorporate some form of
consumer choice as to whether and how much to participate.
Question 8: A group health plan contacts with a health
insurance carrier to provide fully-insured group health benefits for its
employees and dependents. The carrier
provides, at no additional charge to the plan, a service designed to assist
employers in assessing the health risks of their employee population. Under this service, the carrier administers a
health risk assessment program (HRA) where employees can voluntarily fill out
an online questionnaire that asks questions concerning height, weight, physical
activity, and medical claims history.
Individuals who complete the HRA receive a personalized health report
from the carrier that assesses their health status and provides information on
how the individual can improve or maintain their health status. The carrier contracts with a third party to
assist in administering the program. The
carrier also prepares a report for the plan sponsor that summarized the results
of the HRAs completed and provides aggregate information including the medical
history of those who completed the HRA. It does not include names, social security
numbers, health plan account numbers, birth dates or specific dates of
treatment, but does include the ages of the individuals who completed the
survey and includes information about past diagnosis or recent treatment
received. Other than this aggregate summary report, the plan sponsor does not
have access to any other information from the HRAs or access to the completed
HRAs.
Must the plan obtain a HIPAA business associate agreement
with the carrier under the HIPAA privacy rule?
Can the plan sponsor receive the aggregate summary report from the
carrier without individual authorization?
Does the analysis change if the plan is self-insured and the carrier is
simply administering the self-insured benefit providing the HRA program? What are the plans obligations to disclose
the arrangement in its Notice of Privacy Practices?
Proposed Answer 8:
There is no requirement for the fully-insured plan to have a business associate
agreement with the carrier. See
generally, 164.506©(5). The carrier is
itself a covered entity under HIPAA, and has its own obligations to comply with
HIPAA and execute a business associate agreement with its own third party
contractors. HIPAA allows the disclosure
of information for health care operations without individual
authorization. Health care operations
include population-based activities related to improving health or reducing
healthcare costs. As a result, the
aggregate summary report may be disclosed to the plan sponsor without
individual authorization, as long as plan document amendments are made pursuant
to 45 C.F.R. 164.504(f).
Where the plan sponsor is self-insuring the benefit, a HIPAA
business associate agreement must be executed with the carrier. The plan sponsor may receive the aggregate
summary report, if the plan documents have been amended pursuant to 45 C.F.R.
164.504(f).
The Notice of Privacy Practices should provide a general
description of the arrangement. For a
fully-insured plan, the health insurance carrier is responsible for providing
the Notice. The insured group health
plan is not required to provide or maintain the Notice under 45 C.F.R.
164.520(a)(2)(ii) since information it receive in the aggregate summary report
is “summary health information” as defined in 45 C.F.R. 164.504(a). The self-insured plan must provide the
Notice.
Answer 8: OCR agreed that in the insured scenario, the
plan is not required to obtain a HIPAA business associate agreement with the
carrier. In the self-insured example, a
business associate agreement is required.
Concerning the disclosure of the aggregate summary report,
OCR stated that the HIPAA regulation allows disclosure of health information to
a plan sponsor (1) if the plan documents incorporate certain requirements
including restricting the plan sponsor’s uses and disclosures to those
permitted by the Privacy Rule and the plan sponsor needs this information to
perform plan administration functions of the group health plan; (2) if the
information is limited to “summary health information” (as the term is defined
in 164.504(a)) and is provided pursuant to 164.504(f)(1)(ii) for purposes of
the plan sponsor shopping or modifying the plan; or (3) if the information is
de-identified in accordance with 164.514(a)-(c). Note that even if the identifiers listed at
164.514(b)(2)(i) are stripped, the information is not de-identified if the
covered entity has actual knowledge that the information could be used alone or
in combination with other information to identify an individual.
OCR agreed with the proposed answer concerning the
responsibility for providing the Notice of Privacy Practices. With respect to the description in the Notice
itself, OCR state that the requirements for the Notice of Privacy Practices do
not require an example of every type of disclosure, so a general description of
this specific arrangement is not necessarily required, although it may be a
prudent thing to do.
Question 9: Some
group health plans want to require that their employees complete a health risk
assessment (HRA) in order to be eligible for coverage. The plan would use the PHI obtained in the
HRA in order to assess what types of wellness programs would work best to
improve health outcomes in the plan.
Would this practice violate HIPAA privacy?
Proposed Answer 9:
No. HIPAA privacy regulations allows the use of the PHI by a covered entity for
health care operations, which includes population-based activities related to
improving health or reducing healthcare costs.
It does not prohibit the disclosure of PHI by a plan participant as a
condition of eligibility for health coverage.
Answer 9: OCR
agreed with the answer, adding that HIPAA’s Privacy rules do not address the
determination of eligibility for a group health plan. They have forwarded inquires on this topic to
the Department of Labor’s, Employee Benefits Security Administration, who is
working with EEOC to address these types of questions.
Note: The EEOC is currently against the practice of requiring
an employee to take a health risk assessment in order to be eligible for
coverage in the employer’s group health plan.
For the full text of the Q&A session, click on the link
below:
http://www.abanet.org/jceb/2007/HHS07Final.pdf
