HIPAA and Personal Health Records (PHRs)

Question 6

There has been much discussion in the trade press regarding electronic personal health records (PHR). Many of these discussions concern health care providers establishing and maintaining the PHR. PHR arrangements also are provided by employer-sponsored plans through fully-insured arrangements with a health insurance carrier. Assume a plan contracts with a health insurance carrier to provide fully-insured group health benefits. The coverage also includes a free service provided by the carrier to provide employees with electronic personal health records (PHR). Although the carrier and a data storage company provide the service, it is part of the group health benefit provided by the group health plan. For employees that wish to participate, claims and other health information such as lab results will be stored and sent to a data management service so that participants may start to keep a personal electronic health record. The plan has no access to any of the information in order to administer the service. Must the plan execute a business associate agreement with the insurance carrier in order for the carrier to access PHI for this purpose? Is the plan required to disclose the arrangement in its Notice of Privacy Practices?

Proposed Answer

The group health plan is not required to have a business associate agreement with the carrier where the service is offered through a fully-insured arrangement.  See generally, 45 C.F.R. 164.506©(5).  The carrier itself is a covered entity under HIPAA, is responsible for complying with HIPAA, and is required to have a business associate agreement with the data storage company.

A general description of the arrangement should be included in the Notice of Privacy Practices.  However, the health insurance carrier, not the plan, is responsible for providing the Notice.  45 C.F.R. 164.520.

Answer

OCR agreed that no business associate agreement is required between the plan and the carrier. The carrier would be responsible for providing the Notice of Privacy Practices. They noted that the disclosure in question generally falls into the definition of “health care operations.” The requirements for the Notice of Privacy Practices do not require an example for every type of disclosure, so a general description of this specific arrangement is not necessarily required, although it may be a prudent thing to do.

For the full text of the Q&A session, click here.

If you know someone who would like to receive our newsletter, email subscribe-path@dpath.com with their name, company name, telephone number, and email address and they will be added to the mailing list.

If you want to unsubscribe, send a blank email to unsubscribe-path@dpath.com.