Privacy Exemption for Group Health Plans

[DTH]

I have a fully insured group health plan. The group health plan currently only receives summary health information, enrollment and disenrollment information. With this arrangement HIPAA Privacy rules exempt a group health plan from administration requirements.

If an employee comes to the plan administrator requesting help with a claims issue and the plan administrator receives protected health information, the group health plan will be subject to the administration requirements. Can the group health plan get out of these requirements by requesting the employee to sign an authorization form to use and disclose the employee's PHI to resolve the claims issue?

Thanks.

[Guest FormsRmylife]

Yes, just like an employee can sign an authorization for the employer to talk to his doctor about his sick leave excuse note. The employer as part of the authorization will have to determine what level of privacy it will promise for the information. It should at the least promise it will not use the information for any employment decisions.

[DTH]

Thanks for your answer FormsRmylife. It is clear in the regulations that an employer that does not receive PHI (only get summary health or enrollment / disenrollment info) is not subject to the special requirements that apply to employers. An employer can request a HIPAA PHI authorization form from a participant for ad hoc PHI uses and disclosures and still not be subject to these requirements.

My question is not about the employer it is about the group health plan. All group health plans are covered entities. If the group health plan is fully insured and has an insurance contact with an insurance carrier or HMO, and only receives summary health information, enrollment and disenrollment information it is not subject to the HIPAA administration requirements. However, because it is a covered entity, in this case, the group health plan must only comply with HIPAA Privacy's non-intimidation or retaliatory acts and waiver of HIPAA rights rules.

If the group health plan receives PHI, it will be subject to full-blown HIPAA. I'm trying to get around that by having participants sign a PHI authorization form. Can the group health plan do this or once they receive PHI (with or without a PHI authorization form) be subject to full-blown HIPAA?

Thanks.

[Steve72]

If you take the position that the advocacy/customer service activities taken on behalf of participants are EMPLOYER functions, this is posible. However, note that the authorization form to be executed will be that of the insurance carrier, not the employer or group health plan. You should verify with the insurance carrier that you will be able to operate in the manner you describe.

If the insurance carrier is amenable (they most likely will be) and it is made clear to participants that HR is assisting in its role as employer, this should not negatively impact your exemption from the administrative requirements of HIPAA.

[Jbentz]

I agree that if you use a HIPAA compliant auth form that will be between the EMPLOYEE and the insurance company, with permission to release the PHI to the EMPLOYER/benefit specialist you will not be required to comply with the other admin duties. The purpose listed should be very clear that it is for assisting the employee with claims adjudication (you may even want to list specific date of service).

With the correct auth form, you are not giving the group health plan any PHI.

[Guest llerner]

My understanding is that if the employer goes into specific diagnoses and other information that is PHI not only for the purpose of claims adjudication but to assist the employee, the health plans/ physicians etc. are supposed to require a Power of Attorney.

[Jbentz]

I have not heard of this requirement, and a POA is an overkill if you just want to help get a claim paid. We are a clinic with over 150 physicians, and I have been their Privacy Officer for three years. I have never seen a POA for an employer, nor would we request one. We would, however, request a HIPAA compliant Authorization before releasing information.

There are many kinds of POAs, ranging from financial, health, or all empowering. I will let the legal gurus chime in on this, but I would never require a POA to release information to an employer.

Perhaps there is a state law requiring this, but I have never heard of this requirement.

[Steve72]

I agree with jbentz. POA is never required by HIPAA, however the POA may permit the employer to act as the "personal representative" of the individuals.

If the insurer is going strictly by HIPAA's rules, an authorization will permit release of any information, including specific diagnoses. However, there is nothing preventing the insurer from having more restrivtive policies.