Legal Bulletins

All employer-sponsored health plans (except those that have fewer than 50 participants and are administered in-house) must comply with new privacy requirements imposed by the HIPAA privacy regulations, issued by the U.S. Department of Health and Human Services (HHS). The compliance deadline is April 14, 2003. In addition, employers that sponsor health plans will have HIPAA privacy compliance obligations. This client bulletin focuses on the HIPAA privacy obligations of employers that sponsor health plans, and outlines some common issues and choices that employers will face.

If you are an employer that sponsors a group health plan or a health flexible spending account (FSA), you may already have received information from your insurer or your third-party administrator (TPA) about the new privacy requirements. Unfortunately, many employers have received, or will soon receive, privacy forms and instructions that do not meet the requirements of the HIPAA privacy regulations and which may expose the employers to civil and criminal penalties. In addition, many employers assume that there is a one-size-fits-all compliance program for HIPAA privacy. In fact, however, different employers will have different needs and should take different approaches to complying with the HIPAA privacy requirements.

From the employer’s point of view, there are two main areas of concern: performance of plan administrative functions, and providing employees with assistance in resolving claims issues.

1.If an employer performs administrative functions for its health plan, what must the employer do to comply with the HIPAA privacy requirements?

Three things: Amendment, certification, and adequate separation.

Employers often perform administrative functions for their health plans or FSAs, and receive information from their insurers or TPAs to perform those functions. However, the HIPAA privacy regulations limit such disclosures to the employer, and impose specific requirements before such disclosures may be made. To meet these requirements, the plan documents must be amended to specify how the employer may use information disclosed by the group health plan, and the employer must give the plan a certification covering a long list of items, including that the employer:

• Will not use disclose the information for employment-related actions or in connection with any other benefit or employee benefit plan;
• Will ensure that any agents to whom the employer discloses the information will agree to the same limits as the employer;
• Will report to the plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for;
• Will make its internal practices, books, and records relating to the use and disclosure of employee health information available to HHS for the purpose of determining whether the plan is in compliance with the regulations; and
• Will return or destroy all employee health information received from the group health plan when it is no longer needed for the purpose for which it was disclosed or, if return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction infeasible.

In addition, the employer must ensure “adequate separation” between the group health plan and the employer. To accomplish this, the plan documents must:

• Describe those employees or classes of employees of the plan sponsor to be given access to employee health information, including employees who, in the ordinary course of business, receive information relating to payment under, health care operations of, or other matters pertaining to the group health plan;
• Restrict such employees’ access to, and use of, employee health information to the plan administration functions that the plan sponsor performs; and
• Provide an effective mechanism for resolving issues of noncompliance.

Unless these requirements are all met, a group health plan or health FSA will be allowed to disclose only “summary health information” (see question 3., below) or enrollment and disenrollment information to the employer.
Some employers have received documents from insurers and TPAs that are intended to permit disclosure of information to employers, but that do not meet the amendment, certification, and adequate separation requirements. Other documents appear to permit disclosure of information to the employers, but actually just place responsibility for compliance with the HIPAA privacy requirements on the employers. And, finally, some employers that would prefer not to have to satisfy the HIPAA privacy requirements, and are willing to limit the information they receive, are simply being given documents without first being given guidance about their HIPAA privacy compliance options.

2. If members of an employer’s staff (such as HR professionals) assist employees with claims problems, and need information from the health plan in order to provide the assistance, what does the employer need to do?
Obtain an authorization that complies with the HIPAA privacy requirements from the employee.
Many employers allow or encourage their employees to seek the assistance of the employer’s HR professionals to resolve health plan claims problems. Often, resolution of those problems requires disclosure of employee health information by the health plan to the HR professionals. However, HHS takes the position that a group health plan or an insurer may not disclose that information to the employer, unless the employee signs an “authorization.”

To qualify as an “authorization,” a document must meet a number of specific requirements, including the following:

• It must be in writing, in plain language, signed, and dated;
• It must include a specific and meaningful description of the information to be used or disclosed;
• It must include the name or other specific identification of the persons authorized to make the use or disclosure;
• It must include the name or other specific identification of the persons to whom the covered entity is authorized to make the disclosure;
• It must have an expiration date or an expiration event;
• It must include a statement that the individual has the right to revoke the authorization if done in writing; and
• It must include a statement that when employee health information is used or disclosed under the authorization, the information may no longer be protected by the regulations and may be redisclosed by the recipient.
  Many of the documents being provided to employers that are called “authorizations,” or that are intended to serve as authorizations under the HIPAA privacy regulations, do not meet these requirements. Other documents that appear to permit disclosure of information to employers actually just place responsibility for compliance with the HIPAA privacy requirements on employers, without guidance and without advice as to other options that might be available.
  

3. Is it possible for an employer that sponsors a health plan to avoid some or all of the HIPAA privacy requirements?

Only under two very limited conditions.

First, if a health plan provides benefits only through insurance or an HMO (or a combination of the two), the employer may receive “summary health information” from the insurer or HMO without amending the plan, making a certification, and providing for adequate separation, and without obtaining authorizations from the plan participants. However, the employer may only use that information for two purposes:

• To obtain premium bids for health insurance coverage; or
• To modify, amend, or terminate the health plan.

“Summary health information” is information that has 17 separate categories of information removed from it.

Second, an employer that receives only enrollment and disenrollment information from its health plan will have no HIPAA privacy obligations. However, employers that receive only enrollment and disenrollment information will not be able to decide health plan appeals, and will have to make sure there is a named fiduciary to decide appeals. In addition, those employers may have difficulty fulfilling their fiduciary obligations under the Employee Retirement Income Security Act, which requires that a fiduciary must prudently select and monitor service providers (including insurers and TPAs).

Employer Action Items

• If you sponsor a group health plan or a health FSA, and you expect to be able to receive anything more than summary health information or enrollment and disenrollment information from the plan or your insurer, or if you expect your HR staff to be able to assist your employees in resolving health plan claims issues, you will need to take action before the HIPAA privacy compliance date of April 14, 2003 to ensure that you will be able to obtain the information you need from the plan without violating HIPAA.
• If your insurer or TPA has not already contacted you about these issues, you should contact them now to find out what their HIPAA privacy compliance policies will be and when they will be implemented.
• If your HR staff will be assisting employees in resolving claims issues, you should make sure that you use an authorization form that complies with the HIPAA privacy requirements.
• If you want to receive anything more than summary health information or enrollment and disenrollment information from your group health plan, you will need to amend your plan in a manner that your insurer or TPA will accept, and you will need to prepare the employer certification and ensure adequate separation between plan functions and employer functions.
• Finally, if you have already received forms and information on HIPAA privacy from your insurer or TPA, you should have them reviewed to make sure they comply with the requirements of the HIPAA privacy regulations in the manner that is best for you.