Steve72

Kirk: Did the situation you described go to court? My understanding of 510 is that it prevents employment actions. I would be curious as to the logic the court used to consider a plan amendment an employment action.

The client is incorrect. Based on your post, HIPAA would not prevent the release of this information. The social security numbers of employees of a covered entity are not subject to HIPAA (although they may be subject to other privacy rules). Only information relating to medical information (e.g., information about patients) would be subject to the rules. Paragraph (2) of the definition of "Health Information" in HIPAA should be the starting point. Since employee SSNs do not "®elate to the past present or future physical or mental health or condition of the individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual", it will not be health information, and therefore not PHI. However, convincing your client of this may be difficult. I would imagine that their privacy department could clarify this issue with your contact person. She may simply misunderstand the policies established by the medical office.

jeanine is absolutely correct. HIPAA is extremely narrow in its application. Corgi, you were told that you couldn't receive information due to HIPAA. Covered entities are restricted from disclosures, not receipt. The entity from whom you were trying to obtain the information was restricted due to its covered entity status (insurance providers are considered "health care plans", which are covered entities).

It must be HIPAA day! jkonline, it sounds like you would be (if anything) a business associate, not a covered entity. If your organization provides support for a covered entity in which the review of PHI was necessary (for example, in auditing emails), then your obligations would spring from the business associate contract, not HIPAA itself. This is worth re-stating. From your post, it seems that you have no obligation under HIPAA. You may have state privacy law requirements, and will probably have contractual requirements, however. Your support supervisor's quote is actually pretty close to the Privacy and Security standards. HIPAA (particularly HIPAA Security) doesn't mandate a particular security measure. Rather, it requires that you review your current policies and determine whether the risks of loss of confidentiality, integrity or availability mandate that you improve your current systems. Assuming that the BAA mandates that you follow the Security rule, you will need to conduct (and document) a risk assessment of your current systems, and establish a rationale for why your current systems are sufficient, or how you will make them sufficient. As for privacy, the BAA will likeley require that you restrict disclosures of PHI to the "minimum necessary". If the "no PHI in emails" rule is feasible, this would be a good way to approach this requirement.

I think the thread has stayed on point. The original poster understood my initial post as responsive to his question. Your statement in (1) is correct. The employer feeds information to other carriers. I do not think the original poster was stating that the carrier was bidding out its own business. I read the question to ask whether an employer can send full zip code information to a carrier (if it requires such information) in an attempt to get a bid from that carrier. The answer is yes. The employer must get this information from somewhere. The employer gets it from the plan. The reason it is able to get this information (without running afoul of HIPAA) is due to the special definition of SHI (which is a particular subset of PHI). Your statement (2) is not entirely correct. HIPAA uses the same term ("Plan") to define both an insurance carrier and an ERISA plan. This (IMO) was an unfortunate decision on their part. It leads to a lot of confusion, and quite a bot of square peg into round hole situations. There are specific rules for "group health plans", but most of the rules are the same for the carrier and the ERISA plan. The information going to the broker is dependent on whether the broker is acting on behalf of the plan or the employer. If it needs only receive SHI for the purpose of scouting bids, then it can act on behalf of the employer (because SHI can come outside the HIPAA firewall), and no BAA is needed.

..Because that information cannot be disclosed to the employer, except for plan functions. The regs permit disclosure of SHI for those limited functions without documentation. Other information can only be disclosed for those reasons set forth in the amendment. If the employer receives information other than enrollment/disenrollment or SHI, then it can only do so in accordance with the HIPAA amended plan document. If it receives it in any other way, the plan has violated HIPAA. Once the information is outside the plan (and held by the employer), the employer is bound by the terms of the amendment to, essentially, extend HIPAA protections to the information (or violate ERISA's requirement that it operate the plan according to the terms of the plan document).

Steve, as I read it, this exemption is for the Security Rule's plan document requirements only. Because SHI remains inlcuded under the definition of PHI, wouldn't the employer in my example (i.e., the one that has a fully insured HMO and only receives SHI) still have to technically comply with the Security rule with respect to eSHI? Qualified plan: If that information is held by the plan, yes. However, this limited disclosure arrangement is usually in a fully insured plan, and the employer can take the position that the information is held by the insurer (a HIPAA health plan with its own obligations) and the employer (a non-covered entity), never by the ERISA health plan. Therefore, the employer (either as employer, or in its role as the entity running the plan) has no e-PHI obligations.

That is not what the original question asked. If the zip code information is tied to actual claims information, then that information is IIHI. The only way this combined information could get to the employer is from the plan (using the HIPAA definition, which includes both the ERISA plan and the insurer). The only reason the plan is permitted to disclose this information to the employer is for premium bids and amendment. To disclose it for another reason would be an unauthorized disclosure of PHI, and a violation of HIPAA. If the zip code information is separate from the claims information (i.e., there is completely de-identified (NOT summary) information and, in a separate document, a listing of zip codes), then there are no HIPAA restrictions on its disclosure.

One more devil-is-in-the-details clarification. Nopte that I have used the term "PHI" above, when I probably should have been using "individually identifiable health information" (IIHI). PHI is IIHI that is held by a covered entity. If IIHI is held by a non-covered entity (in relevant example, the employer), then it is by definition not PHI.

Summary health information is not exempted from the definition of PHI or e-PHI. It is exempted if SHI and enrollment/disenrollment information is the only information held by the employer. This exemption can be found at §164.314(b). This is different from the Privacy standard at §164.504(f). GBurns: SHI is PHI (unless it meets that specific exemption) because it does not meet the definition of de-identified information. In order to be de-identified (see §164.514), all identifiers must be removed. SHI contains a zip-code as an identifier. Despite the fact that, practically speaking, it would be difficult to tie an individual to a claim with a seven-digit zip code, the fact that is required to be removed in order for the information to be considered de-identified shows clearly that it remains inside the definition of PHI. If you are using the term "summary information", you should be aware that this is a term of art under HIPAA. If the information used to get the bid removes all identifiers, including the seven digit zip code (these were not the facts of the original question), then the information is de-identified information, not SHI. De-identified information is outside the definition of PHI (and, therefore, e-PHI). The original post specified that the zip code was included. This is exactly the summary health information anticipated by HIPAA. Although still PHI (unless excepted from the definition as described above), it can still be released to the employer (and beyond) for the limited purpose of obtaining premium bids and amending the plan. (Note that it is possible to get this information outside the definition of PHI if you are able to obtain an independent statisticians statement that the zip code is not sufficient identification to tie it back to the individual. Absent this step, any identification connected to the health information will render it IIHI and, if held by a covered entity, PHI.)

Because (if I am reading your example correctly) the only information received by the employer is enrollment/disenrollment and SHI. If this is the case, that information is exempted from the definition of e-PHI. If the employer had any other e-PHI, however (for example, a word document describing appeals), then a strict reading of the regulation would bring the enrollment/disenrollment and SHI back within the definition of e-PHI. Sorry....I'm reading over my last post. This sentence: The security rule says that enrollment/disenrollment info is not e-PHI if the only information hed by the employer is enrollment/disenrollment and summary health info. is incomplete. It should read "The security rule says that enrollment/disenrollment info and SHI which is held by the employer is not e-PHI if the only information hed by the employer is enrollment/disenrollment and summary health info."

Qualified plan: Actually, under the facts you posted, the employer would be exempt from the Security Rule as well. The privacy rule states that enrollment and disenrollment info is not PHI when held by the employer. The security rule says that enrollment/disenrollment info is not e-PHI if the only information hed by the employer is enrollment/disenrollment and summary health info. Now, arguably, if it isn't PHI, it isn't e-PHI, so this distinction is moot. However, this difference in the language of the two regs is problematic. They could have just duplicated the privacy language, but they did not.

GBurns: Technically, that is not correct. Summary health information is still PHI, and is still considered "individually identifiable". It is a special subset of PHI which can be released from the "plan" (using the HIPAA definition) to the employer for certain specified purposes.

Mostly correct. The only thing I would clarify (because I didn't express it very well in my original post) is the statement that the employer "does not need to worry about HIPAA privacy". Although this is technically correct, the employer can only use the information for the permissible purpose for which it is released (i.e., obtaining premium bids or amending the plan). The reason for this is a little convoluted. In short, in order for the disclosure to be permissible under HIPAA, the plan's HIPAA amendment must provide for this type of disclosure, and limit the uses by the employer after disclosure. If the employer violates the terms of the amendment, it is failing to follow the terms of the plan. Although the employer is not subject to HIPAA (because it is not a covered entity), it could be committing an ERISA violation.

DTH: Actually, if you review the definition of Summary Health Information (SHI), the full five-digit zip code may be used (Section (2) of the definition of SHI). Reducing the zip code to three digits as you describe is only necessary if the information is to be de-identified, at which point it is outside the definition of PHI. Under 164.504(f), SHI (including the full five-digit zip code) can be disclosed from the plan to the plan sponsor for use in obtaining premium bids from other insurers. The significance of this is, once the information is held by the plan sponsor, it is able to be further disclosed for that purpose. As for security, because of a (probably unintentional) subtle difference between the language in the security and privacy rules, the SHI held by the employer MAY be subject to the security rules (if held or transmitted electronically). This would mean that the procedures the employer (on behalf of the plan) has implemented to protect e-PHI would extend to this information.

I think an amendment is necessary. The rules surrounding the protection of e-PHI significantly differ from and expand on the "appropriate administrative, technical and physical safeguards" requirement in the Privacy Rule. The Security Rule contains a specific requirement that BAAs describe the BA's security responsibilities (although HHS has indicated it will not release model language). Relying on the privacy language would be insufficient to meet the Security requirements, in my opinion.

Alternatively, the employer could take the position that it is assisting the employee in its role as employer, not plan administrator. The employer representative should make this clear to the employee before any information is disclosed. If this is done, the information does not become PHI, as it is never held by a covered entity. Note that this makes it more difficult for the employer to discuss information with tthe insurer, however. Any further discussions will probably rewquire either the execution of an authorization or a joint conversation with the insured on the phone with the insurer and the employer rep.

There's no requirement to notify the individual in HIPAA. If you want to do so as a "good faith" measure, it may not be a bad idea. It sounds like you've got your bases covered well. I'm not sure if the "fire the employee" comment was serious, but HIPAA does require that a covered entity (or here, the sponsor of the covered entity) implement a sanction policy. The employee who caused the breach should be subject to the discipline described in this policy.

The fact that one employee departments are involved makes it possible that there MUST be individually identifiable information shared. If a $300,000 bill is attributable to a one person department, then the accounting department knows that that person has a $300,000 bill. This is probably individually identifiable health information due to paragraph (2)(ii) of the definition of that term. However, the billing is a permissible payment function. Therefore, if the plan sponsor wishes to administer its plan in this manner, I would recommedn including the accounting personall in the "HIPAA Firewall", meaning they should be trained and mentioned in the HIPAA amendment to the plan. Their training should indicate that they are to use this information solely for accounting functions, and that violation of this rule will be subject to sanctions.

I may possibly go insane over the next week. -Steve72, longtime suffering Eagles season ticket holder

...And I seriously doubt you will find one. It would require an insurance company to sell a policy that it knows is non-compliant. No insurance company is going to risk losing its ability to do business to sell a single contract.

Don: You are missing that there are two entities with potential liability here. The employer can make the change. However, if the insurer agrees to sell a non-compliant contract to the employer, then it is violating state insurance law. Nothing in Met Life changes that. Whether the decision to make a change is a settlor or a fiduciary function has no bearing on the sale of an illegal contract by the insurer. It is not an ERISA issue. ERISA does not pre-empt the state's right to regulate the sale of insurance contracts (including group contracts) within its jurisdiction. The insurer will not risk liability, and so will refuse to write the contract. This statement: Well, at least we have arrived at the point, it seems, that employers need not offer benefits that correspond with state mandated benefits, even in fully insured plans., while legally true, is misleading. Such contracts are illegal to be sold. While the employer would be free from liability, the product will not exist.

mbozek is 100% correct. To look at it another way, the sponsor of an insured plan is (legally) free to offer a benefit plan that does not comply with state mandated benefits...there is no law preventing that. However, no insurer would ever sell such a contract to the employer, because to do so would violate state insurance law. Therefore, it is impossible. Self funded arrangements are not subject to state insurance law because they are not insurance companies.

I don't think that anyone is suggesting that an employer could not do what you suggested, mbozek. The initial question was whether an employer could pay employees to waive coverage, meaning that they were initially eligible. The theory I described certainly will involve the employer defining the eligible class, however, the fact that it is a detemrination made by the employee to elect to be eligible or ineligible that makes it skirt the line of 125.

You're both right, IMHO. Plans can certainly be amended at any time. However, amendments which target individuals are prohibited by the HIPAA nondiscrimination rules. However, those rules state specifically that an amendment made effective as of the beginning of the plan year will not violate the HIPAA nondiscrimination rules. Therefore an employer can adopt an amendment that would otherwise be prohibited if it is effective as of the beginning of the next plan year. Note that this is a safe harbor for ERISA only. As has been alluded to, there are other laws (ADA, for example) that may prevent the employer from taking this action. The application of such rules would be dependent upon the particular facts.