HIPAA and Personal Health Records (PHRs)

The American Bar Association’s Joint Committee on Employee Benefits has posted its report of its annual question and answer session with representatives from HHS’s Office for Civil Rights (OCR).

The following are some excerpts from the Q&A session between the Department of Health and Human Services and the Joint Committee on Employee Benefits. For those employers or Third Party Administrators (TPAs) offering participants health risk assessments (HRAs) or electronic personal health records (PHRs) you should be aware of the opinions of the OCR on whether certain scenarios would violate the HIPAA Privacy rules.

Question 3

If an individual executes a valid HIPAA authorization with a specified expiration date and subsequently dies before the expiration date, how does that affect the validity of the authorization?  If no expiration date is specified, does that change the result?  If the individual no longer has the ability to revoke the authorization (because they are deceased) is the scope of the authorization altered?  Has HHS made any efforts to coordinate state laws that may control this issue?

Click here to read answer.

Question 4

May a self-insured employer discipline an employee based on enrollment information that shows that an employee has improperly enrolled a dependent in the employer’s health plan (e.g., ineligible ex-spouses, ineligible children above a specific age who are not college students, etc.)?

Click here to read answer.

Question 6

There has been much discussion in the trade press regarding electronic personal health records (PHR).  Many of these discussions concern health care providers establishing and maintaining the PHR.  PHR arrangements also are provided by employer-sponsored plans through fully-insured arrangements with a health insurance carrier. 

Assume a plan contracts with a health insurance carrier to provide fully-insured group health benefits.  The coverage also includes a free service provided by the carrier to provide employees with electronic personal health records (PHR).  Although the carrier and a data storage company provide the service, it is part of the group health benefit provided by the group health plan.  For employees that wish to participate, claims and other health information such as lab results will be stored and sent to a data management service so that participants may start to keep a personal electronic health record. 

The plan has no access to any of the information in order to administer the service.  Must the plan execute a business associate agreement with the insurance carrier in order for the carrier to access PHI for this purpose?  Is the plan required to disclose the arrangement in its Notice of Privacy Practices?

Click here to read answer.

Questions 7

Recently, health plans, specifically employer-sponsored self insured group health plans, have started to provide PHRs for their employees and dependents who participate in the health plan.  These PHRs are typically accessible from a secure website using a specific user name and password.  In addition, one vendor’s particular type of PHR automatically integrates with a health plan’s third party claims administrators, so that when a participant goes to a physician and that physician files a claim with the third party claim administrator, the claims administrator will transmit a copy of the claim to the PHR vendor, and the PHR vendor will then automatically upload the claim into the participant’s PHR. 

The PHR and the automatic update process are provided for all participants without their request. However, in order to access the PHR, the participant must sign on to the secure website to view the PHR.  If a participant did not want a PHR for some reason, the participant would not be required to view the PHR on the secure website, but it would still be resident in the PHR vendor’s computer system in case the participant changed his or her mind in the future.  The PHR is not removed from the computer system, because if it was, the participant’s PHR would not automatically update. 

If the participant changed his or her mind in the future and wanted the PHR, the PHR would then not contain any updates and would need to be started from scratch.  Because PHR’s are provided without the consent of the participant or spouse, does this violate the HIPAA privacy rules?

Click here to read answer.

Question 8

A group health plan contracts with a health insurance carrier to provide fully-insured group health benefits for its employees and dependents.  The carrier provides, at no additional charge to the plan, a service designed to assist employers in assessing the health risks of their employee population.  Under this service, the carrier administers a health risk assessment program (HRA) where employees can voluntarily fill out an online questionnaire that asks questions concerning height, weight, physical activity, and medical claims history. 

Individuals who complete the HRA receive a personalized health report from the carrier that assesses their health status and provides information on how the individual can improve or maintain their health status.  The carrier contracts with a third party to assist in administering the program.  The carrier also prepares a report for the plan sponsor that summarized the results of the HRAs completed and provides aggregate information including the medical history of those who completed the HRA.    It does not include names, social security numbers, health plan account numbers, birth dates or specific dates of treatment, but does include the ages of the individuals who completed the survey and includes information about past diagnosis or recent treatment received. Other than this aggregate summary report, the plan sponsor does not have access to any other information from the HRAs or access to the completed HRAs. 

Must the plan obtain a HIPAA business associate agreement with the carrier under the HIPAA privacy rule? Can the plan sponsor receive the aggregate summary report from the carrier without individual authorization? Does the analysis change if the plan is self-insured and the carrier is simply administering the self-insured benefit providing the HRA program? What are the plans obligations to disclose the arrangement in its Notice of Privacy Practices?

Click here to read answer.

Question 9

Some group health plans want to require that their employees complete a health risk assessment (HRA) in order to be eligible for coverage.  The plan would use the PHI obtained in the HRA in order to assess what types of wellness programs would work best to improve health outcomes in the plan.  Would this practice violate HIPAA privacy?

Click here to read answer.

For the full text of the Q&A session, click here.

If you know someone who would like to receive our newsletter, email subscribe-path@dpath.com with their name, company name, telephone number, and email address and they will be added to the mailing list.

If you want to unsubscribe, send a blank email to unsubscribe-path@dpath.com.