CMS Data Match Program

[Chaz]

A contributing employer to a multiemployer welfare fund has received a request from CMS to provide information about its employees for purposes of the CMS data match program. The employer is required by law to provide the requested information. The employer does not have the information, which resides with the multiemployer fund.

Under HIPAA, does anyone have any thoughts on whether the fund can provide the information (mostly health plan enrollment information) to the contributing employer without authorization under HIPAA's privacy rules?

In the non-multiemployer plan context, the employer can provide the information to CMS under the "required by law" exception (EDIT: the employer is not a covered entity so it need not rely on a HIPAA exception) and the employer, as plan sponsor, can obtain the enrollment information from its group health plan. But a contributing employer is not the plan sponsor of the multiemployer plan so this rationale does not seem applicable.

Thanks!

[GMK]

FWIW, my thoughts are that the multiemployer welfare fund (the covered entity) can provide the information under the Required by Law exemption and the Health Oversight Activities exemption, pretty much the same as the group health plan provides the data for the CMS Program to the employer in the non-multiemployer plan case.

I have not found anything from HIPAA or CMS that specifically verifies my thoughts, but I feel that it is unlikely that HIPAA can (or is intended to) block the CMS Data Match Program.

And if you, who usually knows the answers to these kinds of questions, is doing the asking, I'm not sure who to would know. But I'll be watching for the answer.

[Chaz]

Thanks for the response.

I think the fund could definitely provide the information directly to CMS if CMS requested it (because it would be required to by law).

But, here, the contributing employer is requesting that the fund provide IT with the information to provide to CMS in order for the employer to comply with law.

The fund cannot ordinarily disclose PHI to a contributing employer without complying with HIPAA. This disclosure is not "required by law."

The fund can possibly send the information directly to CMS at the contributing employer's request but I am not sure whether that disclosure, which would be in effect voluntary, would meet the "required by law" requirement.

[GMK]

How about as a Health Oversight Activity, which the CMS program seems to be?

[Chaz]

Thanks. That's a possibility if the fund sends the information directly to CMS but not to the employer.

[Miner88]

I have this same issue - did you figure out how to handle it?

[Peter Gulia]

What happens if an employer responds to CMS (truthfully, one hopes) that the employer lacks requested information and is willing to cooperate with CMS's effort to obtain the information from the source of the information?