HIPAA and Personal Health Records (PHRs)

Question 8

A group health plan contracts with a health insurance carrier to provide fully-insured group health benefits for its employees and dependents.  The carrier provides, at no additional charge to the plan, a service designed to assist employers in assessing the health risks of their employee population.  Under this service, the carrier administers a health risk assessment program (HRA) where employees can voluntarily fill out an online questionnaire that asks questions concerning height, weight, physical activity, and medical claims history.  Individuals who complete the HRA receive a personalized health report from the carrier that assesses their health status and provides information on how the individual can improve or maintain their health status.  The carrier contracts with a third party to assist in administering the program.  The carrier also prepares a report for the plan sponsor that summarized the results of the HRAs completed and provides aggregate information including the medical history of those who completed the HRA.    It does not include names, social security numbers, health plan account numbers, birth dates or specific dates of treatment, but does include the ages of the individuals who completed the survey and includes information about past diagnosis or recent treatment received. Other than this aggregate summary report, the plan sponsor does not have access to any other information from the HRAs or access to the completed HRAs. 

Must the plan obtain a HIPAA business associate agreement with the carrier under the HIPAA privacy rule?  Can the plan sponsor receive the aggregate summary report from the carrier without individual authorization?  Does the analysis change if the plan is self-insured and the carrier is simply administering the self-insured benefit providing the HRA program?  What are the plans obligations to disclose the arrangement in its Notice of Privacy Practices?

Proposed Answer

There is no requirement for the fully-insured plan to have a business associate agreement with the carrier.  See generally, 164.506©(5).  The carrier is itself a covered entity under HIPAA, and has its own obligations to comply with HIPAA and execute a business associate agreement with its own third party contractors.  HIPAA allows the disclosure of information for health care operations without individual authorization.  Health care operations include population-based activities related to improving health or reducing healthcare costs.  As a result, the aggregate summary report may be disclosed to the plan sponsor without individual authorization, as long as plan document amendments are made pursuant to 45 C.F.R. 164.504(f).

Where the plan sponsor is self-insuring the benefit, a HIPAA business associate agreement must be executed with the carrier.  The plan sponsor may receive the aggregate summary report, if the plan documents have been amended pursuant to 45 C.F.R. 164.504(f).

The Notice of Privacy Practices should provide a general description of the arrangement.  For a fully-insured plan, the health insurance carrier is responsible for providing the Notice.  The insured group health plan is not required to provide or maintain the Notice under 45 C.F.R. 164.520(a)(2)(ii) since information it receive in the aggregate summary report is “summary health information” as defined in 45 C.F.R. 164.504(a). The self-insured plan must provide the Notice.

Answer

OCR agreed that in the insured scenario, the plan is not required to obtain a HIPAA business associate agreement with the carrier.  In the self-insured example, a business associate agreement is required.

Concerning the disclosure of the aggregate summary report, OCR stated that the HIPAA regulation allows disclosure of health information to a plan sponsor (1) if the plan documents incorporate certain requirements including restricting the plan sponsor’s uses and disclosures to those permitted by the Privacy Rule and the plan sponsor needs this information to perform plan administration functions of the group health plan; (2) if the information is limited to “summary health information” (as the term is defined in 164.504(a)) and is provided pursuant to 164.504(f)(1)(ii) for purposes of the plan sponsor shopping or modifying the plan; or (3) if the information is de-identified in accordance with 164.514(a)-(c).  Note that even if the identifiers listed at 164.514(b)(2)(i) are stripped, the information is not de-identified if the covered entity has actual knowledge that the information could be used alone or in combination with other information to identify an individual. 

OCR agreed with the proposed answer concerning the responsibility for providing the Notice of Privacy Practices.  With respect to the description in the Notice itself, OCR state that the requirements for the Notice of Privacy Practices do not require an example of every type of disclosure, so a general description of this specific arrangement is not necessarily required, although it may be a prudent thing to do. 

For the full text of the Q&A session, click here.

If you know someone who would like to receive our newsletter, email subscribe-path@dpath.com with their name, company name, telephone number, and email address and they will be added to the mailing list.

If you want to unsubscribe, send a blank email to unsubscribe-path@dpath.com.