Jump to content

Is a COBRA service provider a "Business Associate" for HIPAA purposes?


Guest cstrong
 Share

Recommended Posts

Guest cstrong

I have a COBRA service provider that denies it is a "business associate" as defined in HIPAA. I think I disagree. Does anyone have any thoughts?

Thanks in advance for any help!

Link to comment
Share on other sites

I agree with you. The COBRA service provider is performing services on behalf of your health plan and receiving PHI. It seems pretty clear to me.

Link to comment
Share on other sites

I use the "three legged stool" method for my analysis for BAs that AHIMA (American Health Information Management Association) recommends:

1) Are you sharing PHI?

2) Are they outside your workforce?

3) Are they doing something on your behalf?

All three answers must be yes or they do not qualify. If your service provider still disagrees, then ask them to tell you why under the definition under 160.103. I also ask for them to document their decision so I may send it to our attorney and to the OCR for clarification. That usually brings them around to my way of thinking.

Let me know if you need any further help, will be glad to help.

Link to comment
Share on other sites

Guest BenefitsLawyer

It may be that a COBRA service provider needs only enrollment/disenrollment info and premium payment info to perform its services. In the hands of the plan sponsor/employer, neither enrollment/disenrollment info nor premium payment info is PHI. So, if the COBRA service provider receives only enrollment/disenrollment info and premium payment info, and receives it from the plan sponsor/employer, there is no sharing of PHI by the plan and no business associate relationship between the COBRA service provider and the plan.

This is an area that OCR has been asked to address, but has not (at least as of this a.m.).

Link to comment
Share on other sites

I would assume the plan is sharing PHI or it would not seek a BAA. The service provider would possibly be receiving substantiation of applications for disability extensions.

Link to comment
Share on other sites

I think that BenefitsLawyer is right in about 99% of the cases.

But if the fact scenario that kowen suggested actually materializes, then I think you may have a HIPAA question. That is because the COBRA service provider would presumably get a copy of the determination by the Social Security Administration that the person is disabled. It seems to me that is the exact type of information that HIPAA was trying to privacy of.

However, I will freely admit that I am a relative novice in the nuances of the Privacy Rule promulgated under HIPAA, so I solicit the views of more knowledgeable persons.

Kirk Maldonado

Link to comment
Share on other sites

Kirk, you (and kowen) raise an interesting point. I do not think it changes the result, however.

The Social Security determination, until it is received by a covered entity (or the business associate of a covered entity) is not PHI. If you take the position that the COBRA service provider is acting on behalf of the employer and not the plan, then the receipt of the determination will not impact that determination...unless the determination is received directly from the plan.

I agree that this seems counter-intuitive. One would think that the determination would be one of the pieces of information that would be most protected. Due to the manner in which HIPAA was crafted, however, only information used or disclosed by a covered entity is protected. Once the information is disclosed outside a covered entity, it is outside HIPAA's protection.

Link to comment
Share on other sites

Good point, but I think the COBRA provider would be acting on behalf of the plan administrator, who is responsible for most of the COBRA burdens. If the provider was only acting behalf of the employer, they would be notifying the plan administrator of qualifying events and not much else. If the employer and plan administrator were the same entity, as is normally the case in single employer plans, it would make no sense to hire a provider to carry out COBRA responsibilites of the employer only. There are some gray areas and the "plan" is often only a legal document. I don't think HIPAA was drafted with intention of enforcing rules against documents and I don't think HHS would buy the "acting on behalf of the employer only."

Link to comment
Share on other sites

Intellectually, I agree with your reasoning, kowen, however, looking at it in that manner would render the statement that enrollment and disenrollment information held by the employer and not the plan is not PHI meaningless.

I apologize for the ungainliness of that last sentence.

Link to comment
Share on other sites

Steve72:

I agree that you are raising a very good point.

Further, I want to caveat my remarks with the disclaimer that I am only peripherally involved in HIPAA. But the HIPAA attorneys that I've worked with have indicated that the employer doesn't have to worry about such health information as long as that informtion is in the individual's employement records maintained by that employer,

Assuming that is the correct test, then I am skeptical that you argument would prevail. For one thing, by definition those people aren't working any more. Second, I think that is stretching the concept of working on behalf of the employer too far.

But I will freely concede that you have a good faith argument.

Kirk Maldonado

Link to comment
Share on other sites

"But I will freely concede that you have a good faith argument. "

Works for me. I also freely concede that this argument is far from doubt. When there is a question, I always recomend seeking the BAA. However, some service providers are adamant that they are acting on behalf of the employer. If so, I believe the above is the stance to take.

As I may have said before, I believe that HHS's understanding of the ERISA universe is.....less than sophisticated. Many of these issues may need further guidance, which may not be forthcoming.

Link to comment
Share on other sites

Steve72:

I think your comment applies to all federal agencies other than the IRS, DOL, and the PBGC.

But that isn't too surprising, if you ever spent any time working in a federal bureaucracy. They have so many workers that, even within the area that they are responsible for, everybody gets hyper-specialized. Thus, as a general rule, nobody there generally has a good overall picture of the entire area that is subject to the jurisdiction of that agency, let alone other areas of the law.

Kirk Maldonado

Link to comment
Share on other sites

The more I think about it, the less comfortable I feel that the argument that the COBRA provider is acting on behalf of the employer should work. If it did, to a large extent that eviscerates the concept of "business associate," because if they weren't acting on behalf of the employer, then why would the business hire them in the first place?

It seems to me that the underlying theory is that if the covered entity passes on health information to another entity, a business associate agreement is needed to protect the privacy of that information, to the same extent as it is protected in the hands of the covered entity.

The extension of the argument that the COBRA service provider isn't a business associate would mean that it has no obigation to protect the privacy of that information under HIPAA. That doesn't seem to be the right result to me.

Kirk Maldonado

Link to comment
Share on other sites

The more I think about it, the less comfortable I feel that the argument that the COBRA provider is acting on behalf of the employer should work. If it did, to a large extent that eviscerates the concept of "business associate," because if they weren't acting on behalf of the employer, then why would the business hire them in the first place?

It seems to me that the underlying theory is that if the covered entity passes on health information to another entity, a business associate agreement is needed to protect the privacy of that information, to the same extent as it is protected in the hands of the covered entity.

The extension of the argument that the COBRA service provider isn't a business associate would mean that it has no obigation to protect the privacy of that information under HIPAA. That doesn't seem to be the right result to me.

Again, I do not disagree with your analysis from a policy perspective. However, the HIPAA rules were drafted for providers, not employer sponsored plans. In many ways, HHS has attempted to alter the rules applicability to ERISA plans to ensure that business operations can continue.

Your statement regarding the underlying theory is correct, and is, in fact, why I think this argument flies. Health information (e.g., enrollment information) is (arguably) not being transferred from a covered entity (the plan), but from the employer.

The employer is under no HIPAA obligation to protect enrollment information, neither is its contractor.

Link to comment
Share on other sites

Steve72

Who really does the enrollment, the employer, the health plan or the insurance provider (for insured plans)?

George D. Burns

Cost Reduction Strategies

Burns and Associates, Inc

www.costreductionstrategies.com(under construction)

www.employeebenefitsstrategies.com(under construction)

Link to comment
Share on other sites

Steve72

Who really does the enrollment, the employer, the health plan or the insurance provider (for insured plans)?

GBurns:

Aye, there's the rub. It depends on how narrowly the "enrollment/disenrollment" exception is read. I can see both sides.

As a practical note, HHS has said that it is aware of a lack of clarity surrounding certain issues, and will not take a hard-line enforcement approach. They say that they've engaged in a few outreach actions, but have taken an educational, rather than a punitive approach.

Link to comment
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...