Jump to content

HIPAA Privacy/Security and Claims Experience


Recommended Posts

A group health plan that provides benefits though an contract with insurance issuer or HMO is still a covered entity but is exempt from most HIPAA Privacy rules if it only receives summary health information or enrollment/disenrollment information.

Use of a ZIP code would be considered summary health information if the first three digits of a ZIP code according to current publicly available data from the Bureau of Census:

(a) the geographic unit formed by combining all ZIP codes with the same three initial digits contain more than 20,000 people; and

(b) the initial three digits of a ZIP Code for all such geographic units containing 20,000 or less people is changed to 000.

If carriers wanted to use 5 digit ZIP code ids for evaluating claims experience for marketing (getting bids from other carriers at renewal time) is that information subject to Privacy and Security?

If yes, I assume the Privacy/Security rules will apply to the health plan and also filter down to a broker. if involved.

Link to comment
Share on other sites

I do not understand your issues or what it is you are questioning.

ALL information is subject to "Privacy and Security". But that has nothing to do with anything in your post.

The restrictions on a group health plan are different from those imposed on an insurance carrier or service provider.

The insurance carrier is eligible to receive any and all information. The insurance carrier is free to use any and all applicable info allowed by state law (if applicable) to develop a quotation.

However, carriers would not be "getting bids from other carriers at renewal time". Claims information is not evaluated for marketing nor does marketing by an insurance carrier involve getting bids from anyone.

George D. Burns

Cost Reduction Strategies

Burns and Associates, Inc

www.costreductionstrategies.com(under construction)

www.employeebenefitsstrategies.com(under construction)

Link to comment
Share on other sites

DTH:

Actually, if you review the definition of Summary Health Information (SHI), the full five-digit zip code may be used (Section (2) of the definition of SHI). Reducing the zip code to three digits as you describe is only necessary if the information is to be de-identified, at which point it is outside the definition of PHI.

Under 164.504(f), SHI (including the full five-digit zip code) can be disclosed from the plan to the plan sponsor for use in obtaining premium bids from other insurers. The significance of this is, once the information is held by the plan sponsor, it is able to be further disclosed for that purpose.

As for security, because of a (probably unintentional) subtle difference between the language in the security and privacy rules, the SHI held by the employer MAY be subject to the security rules (if held or transmitted electronically). This would mean that the procedures the employer (on behalf of the plan) has implemented to protect e-PHI would extend to this information.

Link to comment
Share on other sites

Thanks Steve!

Just to make sure I understand. If the plan is fully insured, the insurance company (covered entity) can give claims information using the full five digit ZIP code to the group health plan (also covered entity, but not subject to full blown HIPAA Privacy). The claims information is not PHI and the group health plan then can give the claims information to the employer or broker to obtain premium bids and not worry about HIPAA Privacy. However, if the claims information is in an electronic form, it would be considered ePHI and subject to the Security Rule.

Link to comment
Share on other sites

Mostly correct. The only thing I would clarify (because I didn't express it very well in my original post) is the statement that the employer "does not need to worry about HIPAA privacy". Although this is technically correct, the employer can only use the information for the permissible purpose for which it is released (i.e., obtaining premium bids or amending the plan).

The reason for this is a little convoluted. In short, in order for the disclosure to be permissible under HIPAA, the plan's HIPAA amendment must provide for this type of disclosure, and limit the uses by the employer after disclosure. If the employer violates the terms of the amendment, it is failing to follow the terms of the plan. Although the employer is not subject to HIPAA (because it is not a covered entity), it could be committing an ERISA violation.

Link to comment
Share on other sites

The insurance company would not be providing the information for use by the employer. The information would be provided so that the employer can provide (pass) it to the prospective bidders. The claims information needed for bidding and quoting is summary information and would have no PHI.

The employer is not allowed to actually view or use the information if it is in an individually identifiable form or contains PHI as a result most if not all insurers and claims adminstrators would refuse to give any employer individually identifiable information.

George D. Burns

Cost Reduction Strategies

Burns and Associates, Inc

www.costreductionstrategies.com(under construction)

www.employeebenefitsstrategies.com(under construction)

Link to comment
Share on other sites

GBurns:

Technically, that is not correct. Summary health information is still PHI, and is still considered "individually identifiable". It is a special subset of PHI which can be released from the "plan" (using the HIPAA definition) to the employer for certain specified purposes.

Link to comment
Share on other sites

Guest qualified plan
As for security, because of a (probably unintentional) subtle difference between the language in the security and privacy rules, the SHI held by the employer MAY be subject to the security rules (if held or transmitted electronically).

If I understand you correctly, Steve, you are saying that an employer that only receives SHI from its fully insured HMO and no PHI (and so is generally "exempt" from complying with the HIPAA Privacy rules relating to providing Notices to employees and, in certain cases, would be exempt from adopting Plan amendments and certifications, etc.) would still need to comply with the HIPAA Security rules with respect to eSHI, since the HIPAA Security rules apply to ePHI, which includes eSHI (i.e., the Security rules do not include an exception for eSHI, except for plan amendments). Correct?

Link to comment
Share on other sites

Qualified plan:

Actually, under the facts you posted, the employer would be exempt from the Security Rule as well.

The privacy rule states that enrollment and disenrollment info is not PHI when held by the employer.

The security rule says that enrollment/disenrollment info is not e-PHI if the only information hed by the employer is enrollment/disenrollment and summary health info.

Now, arguably, if it isn't PHI, it isn't e-PHI, so this distinction is moot. However, this difference in the language of the two regs is problematic. They could have just duplicated the privacy language, but they did not.

Link to comment
Share on other sites

Because (if I am reading your example correctly) the only information received by the employer is enrollment/disenrollment and SHI.

If this is the case, that information is exempted from the definition of e-PHI. If the employer had any other e-PHI, however (for example, a word document describing appeals), then a strict reading of the regulation would bring the enrollment/disenrollment and SHI back within the definition of e-PHI.

Sorry....I'm reading over my last post. This sentence:

The security rule says that enrollment/disenrollment info is not e-PHI if the only information hed by the employer is enrollment/disenrollment and summary health info.

is incomplete. It should read "The security rule says that enrollment/disenrollment info and SHI which is held by the employer is not e-PHI if the only information hed by the employer is enrollment/disenrollment and summary health info."

Link to comment
Share on other sites

Guest qualified plan

Can you please provide a cite to the regulations that say that SHI is exempted from the definition of e-PHI. Thanks.

Link to comment
Share on other sites

Steve72

How can summary info be individually identifiable?

Summary info used for bidding and quoting consists of info such as Number of Claims over $X and Shock Claims. There is absolutely no individual information in summary health information used foor this purpose.

Where is it said that summary health info is PHI?

Where is is said that it is a sub set of PHI?

George D. Burns

Cost Reduction Strategies

Burns and Associates, Inc

www.costreductionstrategies.com(under construction)

www.employeebenefitsstrategies.com(under construction)

Link to comment
Share on other sites

Guest qualified plan

GBurns, not sure if this is what you are looking for, but Section 154.504(a) states that:

"Summary health information means information, that may be individually identifiable health information, and (1) that summarizes the claims history....and (2) from which [certain] information....has been deleted. "

Left unanswered is my question to Steve72: "Can you please provide a cite to the regulations that say that SHI is exempted from the definition of e-PHI. "

Link to comment
Share on other sites

Not what I was looking for.

The summary information that that cite refers to is not the same as the summary information that an insurer would provide for use by another insurer to use in developing a quotation as per the OP.

George D. Burns

Cost Reduction Strategies

Burns and Associates, Inc

www.costreductionstrategies.com(under construction)

www.employeebenefitsstrategies.com(under construction)

Link to comment
Share on other sites

Summary health information is not exempted from the definition of PHI or e-PHI.

It is exempted if SHI and enrollment/disenrollment information is the only information held by the employer. This exemption can be found at §164.314(b). This is different from the Privacy standard at §164.504(f).

GBurns: SHI is PHI (unless it meets that specific exemption) because it does not meet the definition of de-identified information. In order to be de-identified (see §164.514), all identifiers must be removed. SHI contains a zip-code as an identifier. Despite the fact that, practically speaking, it would be difficult to tie an individual to a claim with a seven-digit zip code, the fact that is required to be removed in order for the information to be considered de-identified shows clearly that it remains inside the definition of PHI.

If you are using the term "summary information", you should be aware that this is a term of art under HIPAA. If the information used to get the bid removes all identifiers, including the seven digit zip code (these were not the facts of the original question), then the information is de-identified information, not SHI. De-identified information is outside the definition of PHI (and, therefore, e-PHI). The original post specified that the zip code was included. This is exactly the summary health information anticipated by HIPAA. Although still PHI (unless excepted from the definition as described above), it can still be released to the employer (and beyond) for the limited purpose of obtaining premium bids and amending the plan.

(Note that it is possible to get this information outside the definition of PHI if you are able to obtain an independent statisticians statement that the zip code is not sufficient identification to tie it back to the individual. Absent this step, any identification connected to the health information will render it IIHI and, if held by a covered entity, PHI.)

Link to comment
Share on other sites

One more devil-is-in-the-details clarification.

Nopte that I have used the term "PHI" above, when I probably should have been using "individually identifiable health information" (IIHI). PHI is IIHI that is held by a covered entity. If IIHI is held by a non-covered entity (in relevant example, the employer), then it is by definition not PHI.

Link to comment
Share on other sites

The zip code information is on the enrollment form, a copy of which is already held by most employers. The individual claims experience information is not held by the employer.

The SHI used for developing quotations has no zip codes and does not need to be de-identified since zip codes would not have been used in producing the SHI report.

Zip code information is not required for developing the quotation and is not in the summary health info that would be provided by the insurance company.

Zip code information used to decide on provider placement is not in the summary health info, not part of the premium quote and carries no names addresses or individually identifiable information. It isually answers or is geared towards questions such as How many Cardiologists are in zip code 12345 and /or within 5 miles?

George D. Burns

Cost Reduction Strategies

Burns and Associates, Inc

www.costreductionstrategies.com(under construction)

www.employeebenefitsstrategies.com(under construction)

Link to comment
Share on other sites

That is not what the original question asked.

If the zip code information is tied to actual claims information, then that information is IIHI. The only way this combined information could get to the employer is from the plan (using the HIPAA definition, which includes both the ERISA plan and the insurer).

The only reason the plan is permitted to disclose this information to the employer is for premium bids and amendment. To disclose it for another reason would be an unauthorized disclosure of PHI, and a violation of HIPAA.

If the zip code information is separate from the claims information (i.e., there is completely de-identified (NOT summary) information and, in a separate document, a listing of zip codes), then there are no HIPAA restrictions on its disclosure.

Link to comment
Share on other sites

Guest qualified plan
[sHI] is exempted if SHI and enrollment/disenrollment information is the only information held by the employer [as per] §164.314(b).

Steve, as I read it, this exemption is for the Security Rule's plan document requirements only. Because SHI remains inlcuded under the definition of PHI, wouldn't the employer in my example (i.e., the one that has a fully insured HMO and only receives SHI) still have to technically comply with the Security rule with respect to eSHI?

Link to comment
Share on other sites

[sHI] is exempted if SHI and enrollment/disenrollment information is the only information held by the employer [as per] §164.314(b).

Steve, as I read it, this exemption is for the Security Rule's plan document requirements only. Because SHI remains inlcuded under the definition of PHI, wouldn't the employer in my example (i.e., the one that has a fully insured HMO and only receives SHI) still have to technically comply with the Security rule with respect to eSHI?

Qualified plan:

If that information is held by the plan, yes. However, this limited disclosure arrangement is usually in a fully insured plan, and the employer can take the position that the information is held by the insurer (a HIPAA health plan with its own obligations) and the employer (a non-covered entity), never by the ERISA health plan. Therefore, the employer (either as employer, or in its role as the entity running the plan) has no e-PHI obligations.

Link to comment
Share on other sites

Guest qualified plan

Steve,

Thanks for the responses, but couldn't the employer take the same position when it holds "ordinary" PHI (i.e., non-SHI PHI), that it is holding the PHI "outside the plan"?

Assuming the employer can't take that position then, what makes this PHI (i.e., SHI PHI) different?

Link to comment
Share on other sites

Steve,

Thanks for the responses, but couldn't the employer take the same position when it holds "ordinary" PHI (i.e., non-SHI PHI), that it is holding the PHI "outside the plan"?

Assuming the employer can't take that position then, what makes this PHI (i.e., SHI PHI) different?

..Because that information cannot be disclosed to the employer, except for plan functions. The regs permit disclosure of SHI for those limited functions without documentation. Other information can only be disclosed for those reasons set forth in the amendment. If the employer receives information other than enrollment/disenrollment or SHI, then it can only do so in accordance with the HIPAA amended plan document. If it receives it in any other way, the plan has violated HIPAA.

Once the information is outside the plan (and held by the employer), the employer is bound by the terms of the amendment to, essentially, extend HIPAA protections to the information (or violate ERISA's requirement that it operate the plan according to the terms of the plan document).

Link to comment
Share on other sites

The Thread seems to have gone off on a tangent.

The original questions were:

1. "If carriers wanted to use 5 digit ZIP code ids for evaluating claims experience for marketing (getting bids from other carriers at renewal time) is that information subject to Privacy and Security?"

2. "If yes, I assume the Privacy/Security rules will apply to the health plan and also filter down to a broker. if involved."

Re 1. Carriers do not get bids from other carriers at renewal time, in the first place. What can be used for marketing purposes by the possessor of claims information is set out in HIPAA.

Re 2. The rules that apply to the health plan are not the same as those that apply to the insurance carrier. What filters down to a broker depends on which entity the broker represents under a Business Associate Agreement and the scope of the brokers involvement.

George D. Burns

Cost Reduction Strategies

Burns and Associates, Inc

www.costreductionstrategies.com(under construction)

www.employeebenefitsstrategies.com(under construction)

Link to comment
Share on other sites

I think the thread has stayed on point. The original poster understood my initial post as responsive to his question.

Your statement in (1) is correct. The employer feeds information to other carriers. I do not think the original poster was stating that the carrier was bidding out its own business. I read the question to ask whether an employer can send full zip code information to a carrier (if it requires such information) in an attempt to get a bid from that carrier. The answer is yes.

The employer must get this information from somewhere. The employer gets it from the plan. The reason it is able to get this information (without running afoul of HIPAA) is due to the special definition of SHI (which is a particular subset of PHI).

Your statement (2) is not entirely correct. HIPAA uses the same term ("Plan") to define both an insurance carrier and an ERISA plan. This (IMO) was an unfortunate decision on their part. It leads to a lot of confusion, and quite a bot of square peg into round hole situations. There are specific rules for "group health plans", but most of the rules are the same for the carrier and the ERISA plan.

The information going to the broker is dependent on whether the broker is acting on behalf of the plan or the employer. If it needs only receive SHI for the purpose of scouting bids, then it can act on behalf of the employer (because SHI can come outside the HIPAA firewall), and no BAA is needed.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...