Just how much does a self-funded plan administrator need to know about

[jeanine]

A while back someone questioned a situation where the plan administrator was receiving EOB's and opening them before sending to the enrollee. I have a situation that is somwwhat similar. We are a TPA. Sometimes our self-fundeds ask us to provide special reports, such as a pharmacy analysis, to track drugs that might be overutilized or look for ways to cut cost by a formulary or 3-tier payor system. I advised the rep not to turn over this information until all names and socials were redacted. Since we assume all administrative functions by contract I don't think the Plan Administrator has any legitimate reason to know who receives what and for what diagnosis. Same thing with claims--they should just get the cost without need to know diagnosis of particular enrollee. Am I overreacting here? Although I don't think this is per se illegal, it certainly seems actionable under a few federal laws.

One response I have gotten here is that we have the self-funded client sign a "holds harmless" provision in the general admin contract but I think that is useless. I am looking for suggestions on how to limit our liability as a TPA if someone turns over this kind of information at the insistence of the company. Do we have any way to protect ourself or at least limit our liability?

[Kirk Maldonado]

Is there anything on point in the recently issued privacy regulations?

[Guest Patricia Ibbs]

I usually recommend that you, as the TPA, warn your client (in writing) that asking for specific information with names or SS# attached may come back as a discrimination suit from the employee/participant. It has happened and then the employer has to answer (in court) just exactly why it needed the information in that specific form. Have the client write back, exactly what information it wants. If the client is the plan administrator, you must give it over but the documentation should help you if a court case arises. Your function is purely ministerial; you should not exhibit any control over the plan. See CSA 401(k) Plan v. Pension Professionals, Inc., 195 F.3d 1135 (9th Cir. 1999).

[Guest Dan NMHC]

If you are the TPA and the PBM you work with provides details on Rx utilization to your client with out your knowlege, I do not think that you can be liable. It is my understand that the Fund (your Client) is acting as a Fidurary and thereby has the responsability.

Good Question

[Guest]

The proposed HIPAA privacy regs would probably prohibit the disclosure. The regs apply to individually identifiable health info (referred to as protected health info, PHI) that is ever maintained or transmitted electronically. Without an individual authorization from the employee, PHI may only be used/disclosed for treatment, payment, or health care operations (the latter being defined in a fairly limited way, and focusing on clinical operations). A disclosure may also be made with an individual authorization. Any use/disclosure, with or without an individual authorization, must be limited to the "minimum necessary." Therefore, unless the self-funded employer (which is a health plan and a covered entity under the regs) can show a treatment or payment reason for disclosure, and a reason why aggregate or de-identified info wouldn't be just as good, no disclosure would be allowed under the regs.

[jeanine]

I was in fact concerned about the new HIPAA privacy regulations and how it affects this disclosure. Until those regulations are fully implemented, we have decided to double check our administration agreements (checked out OK with a hold harmless clause) and to reiterate this clause on correspondence to the company. We are also only turning over upon written request from this point forward, something I can't guarantee we did at all times in the past.