HIPAA FAQ – Group Health Plans
Yes.
The HIPAA Privacy Rule permits a covered entity to disclose PHI to another covered entity for its own health care operations purposes, or for the health care operations of the entity receiving the information. If the disclosure of PHI is for the health care operations of the recipient covered entity, the Privacy Rule requires that (i) each entity either has or had a relationship with the individual who is the subject of the PHI being requested, (ii) the PHI pertains to that relationship, and (iii) the disclosure is for a health care operation listed in paragraphs (1) or (2) of the definition of health care operations or for health care fraud and abuse detection or compliance. 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(4). Case management and care coordination are among the activities listed in paragraph (1) of the definition of health care operations. 45 CFR 164.501. For example, if Covered Entity A provides health insurance to an individual who receives access to the provider network of another plan provided by Covered Entity B, Covered Entity A is permitted to disclose an individual’s PHI to Covered Entity B for care coordination, without the individual’s authorization. 45 CFR 164.506(c)(1). Similarly, if an individual had been enrolled in a health plan of Covered Entity A and switches to a health plan provided by Covered Entity B, Covered Entity A can disclose PHI to Covered Entity B for Covered Entity B to coordinate the individual’s care, without the individual’s authorization.
Although such disclosures are permitted, they are subject to the minimum necessary standard. 45 CFR 164.502(b).
Does the HIPAA Privacy Rule permit a covered entity to use and disclose PHI to inform individuals about other available health plans that it offers, without the individuals’ authorization, if the covered entity received the PHI for a different purpose?
Yes, in certain circumstances. If a covered entity possesses or receives PHI about an individual, it can use or disclose such PHI where, and in the manner, permitted by the Privacy Rule. 45 CFR 164.502(a) and (b). Covered entities are prohibited from using or disclosing PHI for marketing purposes without the individual’s authorization, unless the communications are subject to an exception. 45 CFR 164.508(a)(3)(i) (exception to marketing authorization for face-to-face communications by a covered entity to an individual and for promotional gifts of nominal value). In addition, certain communications to individuals about products or services are specifically excluded from the definition of “marketing.” 45 CFR 164.501 (definition of marketing, para (2)). One such exclusion from the definition of marketing is for communications to individuals regarding replacements to, or enhancements of, existing health plans, so long as the covered entity is not receiving financial remuneration for the communications. 45 CFR 164.501 (definition of marketing, para (2)(ii)(B)); see also 45 CFR 164.506(c)(1) and 45 CFR 164.501 (definition of “health care operations,” para (3)). Thus, if these conditions are met, HIPAA permits a covered entity to use PHI in its possession about individuals to inform such individuals about the availability of other health plans it offers without the individuals’ authorization. See 45 CFR 164.502(a)(1). For example, in a situation where Plan A discloses PHI about an individual to Plan B (a separate covered entity), Plan B is permitted to send communications to the individual about Plan B’s health plan options that may replace the individual’s current plan (e.g, Medicare plans for individuals reaching the age of Medicare eligibility), without the individual’s authorization, so long as Plan B (1) receives no remuneration for sending the communication to the individual, and (2) complies with any business associate agreement(s), where applicable.
Yes. The Privacy Rule requires a health plan to remind enrollees of the availability of its Notice of Privacy Practices, as well as how to obtain a copy, no less frequently than once every 3 years. See 45 CFR 164.520(c)(1)(ii).
Health plans may satisfy this requirement in a number of ways, including by:
- Sending a copy of their Notice of Privacy Practices.
- Mailing only a reminder concerning the availability of the Notice of Privacy Practices and information on how to obtain a copy.
- Including in a plan-produced newsletter or other publication information about the availability of the Notice of Privacy Practices and how to obtain a copy.
Health plans already may have satisfied the reminder requirement in a number of ways. For instance, a health plan may have adopted the practice of sending its Notice of Privacy Practices to subscribers and enrollees annually. Or, a health plan may have substantially amended its Notice of Privacy Practices recently, and thus, sent the revised Notice to its subscribers and enrollees as required by the Privacy Rule. See 45 CFR 164.520(c)(1)(i)(C). Moreover, a plan may have included information regarding the availability of its Notice of Privacy Practices in annual communications sent to subscribers and enrollees of the plan.
A health plan can satisfy the requirement by providing the reminder notice to the named insured of a policy under which coverage is provided to that named insured and one or more dependents. See 45 CFR 164.520(c)(1)(iii). For instance, if an employee of a firm and her three dependents are covered under a single health plan policy, that health plan can satisfy the reminder requirement by sending information concerning the availability of the Notice of Privacy Practices to just the employee, rather than to the employee and each dependent.
This information is especially timely as the third anniversary of the compliance date of the HIPAA Privacy Rule nears. Health plans, other than small health plans, were first required to distribute their Notice of Privacy Practices to subscribers and enrollees by April 14, 2003. Thus, those health plans that have not already reminded subscribers and enrollees in some manner of the availability of their Notice of Privacy Practices and how they may obtain a copy, must do so no later than April 14, 2006. For small health plans, which had until April 14, 2004, to first distribute their Notices of Privacy Practices, the compliance date for the triennial reminder notice requirement is April 14, 2007. These plans can begin to prepare now to meet this requirement using the most efficient means, such as including the reminder notice of the availability of the Notice of Privacy Practices in open enrollment materials, a group health plan newsletter provided to all members, or similar all-member mailings.
Yes, when the conditions set forth in 45 CFR 164.504(f) of the HIPAA Privacy Rule have been met. Specifically, 45 CFR 164.504(f)(3)(i) allows a group health plan or a health insurance issuer with respect to the group health plan – or its business associate – to disclose PHI to a plan sponsor to carry out plan administration functions as long as it meets the requirements of 45 CFR 164.504(f)(2). As such, where the plan sponsor is carrying out the plan administration function of submitting to CMS the PHI required by 42 CFR 423.884 for the retiree drug subsidy, 45 CFR 164.504(f)(2) sets forth how the group health plan’s plan documents are to be amended to allow the group health plan to permit its health insurance issuer (or business associate, such as a third party administrator) to disclose PHI, without the individual’s authorization, to the plan sponsor of the group health plan. As with other disclosures for plan administration functions, the PHI disclosed must be limited to the minimum necessary to fulfill the requirements of 42 CFR 423.884.