HIPAA Privacy

[DTH]

I would like to confirm my understanding about PHI.

A group health plan that provides benefits though an contract with insurance issuer or HMO is still a covered entity but is exempt from most HIPAA Privacy rules if it only receives summary health information or enrollment/disenrollment information.

If a participant comes to the "plan administrator" with a claims dispute:

1. The information the participant gives the plan administrator is not PHI.

2. When the plan administrator calls the insurance company to discuss the claim, it then becomes PHI because the information is coming from one covered entity (the plan) to another covered entity (the insurance company). If yes, is the plan then subject to all HIPAA Privacy rules? I think yes unless the plan administrator gets an authorization from the participant to discuss the claim with the insurer.

Please let me know your thoughts.

[jeanine]

I think the information is PHI even as you describe it in number 1. However, the individual isn't a covered entity plus it's his/her own PHI. They can disclose it to whoever they want. If the plan administrator were to call the insurance company they shouldn't be able to get the information from the insurer without an authorization. This is the approach we have taken with our clients. In a way, we are forcing them to be "hands-off" PHI unless they can demonstrate that they have fully complied with HIPAA. Most are more than happy to receive only enrollment/disenrollment and summary information so that they do not have to comply with all of the other requirements. A plan administrator--or more likely in the scenario you have described, the HR person--would not be able to discuss this with us without an authorization.

[Steve72]

Alternatively, the employer could take the position that it is assisting the employee in its role as employer, not plan administrator. The employer representative should make this clear to the employee before any information is disclosed. If this is done, the information does not become PHI, as it is never held by a covered entity.

Note that this makes it more difficult for the employer to discuss information with tthe insurer, however. Any further discussions will probably rewquire either the execution of an authorization or a joint conversation with the insured on the phone with the insurer and the employer rep.