HIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc.

Transcription

1 2013 HIPAA Privacy and Security Frequently Asked Questions for Employers Gallagher Benefit Services, Inc.

2 Disclaimer We share this information with our clients and friends for general informational purposes only. It does not necessarily address all of your specific issues. It should not be construed as, nor is it intended to provide, legal advice. Questions regarding specific issues and application of these rules to your plans should be addressed by your legal counsel. This set of FAQs is intended to be used in conjunction with the HIPAA: Privacy and Security Executive Summary. It is intended to cover and/or is focused on HIPAA as it applies to our clients not as it applies to GBS as a Business Associate. Please refer to BOSS standards is you have questions regarding GBS responsibilities as a Business Associate.

3 General Does HIPAA protect all personal information or only personal health information? Who must comply with HIPAA? Who is a covered entity? Who are business associates?... 2 Covered Entity Since business associates are governed by HIPAA is it necessary for a covered entity to have a contract with its business associates? Is a covered entity liable for, or required to monitor, the actions of its business associates? If a covered entity has a compliant business associate agreement with a business associate that is a business associate agent, is the covered entity permitted to rely solely on the business associate agreement for the business associate s compliance? Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule? Are all health plans considered covered entities and therefore subject to HIPAA? Is a health care flexible spending account a covered entity for purposes of the Privacy Rule? Are group health plans required to create and maintain specific documents in order to access, use and disclose PHI? Is a group health plan sponsor a covered entity under HIPAA? If an employer that offers a fully insured group health plan is the fully insured group health plan subject to all of the Privacy Rule provisions?... 6 Business Associates Is an entity that is acting as a third party administrator to a group health plan a covered entity? May a covered entity share PHI directly with another covered entity's business associate? Is a health insurance company, service organization such as Blue Cross or HMO that provides health insurance to a group health plan a business associate of the group health plan? Is a physician or other health care provider a business associate of a health plan or other payer? Is a reinsurer or stop loss carrier a business associate of a health plan? Is a software vendor a business associate of a covered entity? Is a business associate agreement required with organizations or persons where inadvertent contact with PHI may result - such as in the case of janitorial services?... 7

4 21. Would business associate agreements in electronic form, with an electronic signature, satisfy the HIPAA Privacy Rule's business associate agreement requirements? Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices? If the only PHI a business associate receives is a limited data set, does the HIPAA Privacy Rule require the covered entity to enter into both a business associate agreement and data use agreement with the business associate?... 8 Permitted and Required Disclosures of PHI When does the Privacy Rule require a covered entity such as a group health plan to disclose PHI? When is a covered entity such as a group health plan permitted to disclose PHI? What actions must a plan sponsor take regarding permitted uses and disclosures? Assuming a use or disclosure is authorized, required or permitted, are there any limitations on the use or disclosure of PHI under these circumstance?... 9 Minimum Necessary Standard Does the minimum necessary standard apply to all uses and disclosures? Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity's business associate as the minimum necessary? How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose? Is a covered entity required to apply the HIPAA Privacy Rule's minimum necessary standard to a disclosure of PHI it makes to another covered entity? Must the HIPAA Privacy Rule's minimum necessary standard to be applied to uses or disclosure that are authorized by an individual? Individual rights with respect to their own PHI Does the HIPAA Privacy Rule require a covered entity or business associate to provide individuals with access to their PHI or an accounting of disclosures, or an opportunity to amend PHI? Does the right to access PHI provide an individual with unlimited ability to access his or her PHI? Does the individual have the right to request that his or her PHI be amended? Must a group health plan agree to an individual s request to restrict uses and disclosure of the individual s PHI? Does the right to an accounting mean that group health plans must provide an individual with a complete accounting of all disclosures of that individual s PHI from the very first disclosure through the date of the request?... 13

5 38. Must a group health plan accommodate all requests to communicate with an individual in a confidential manner? Authorization to use and access PHI May a covered entity disclose PHI specified in an authorization, even if that information was created after the authorization was signed? Must an authorization include an expiration date? Personal representative and minors Must the authorization to use, access or disclose PHI, when required, come from the individual whose PHI is sought to be used, accessed or disclosed, or can the authorization come from the employee or the individual s personal representative? Can the personal representative of an adult or emancipated minor obtain access to the individual's PHI? Does the HIPAA Privacy Rule allow parents the right to see their children s PHI? When an individual reaches the age of majority or becomes emancipated, who controls the PHI concerning health care services rendered while the individual was an unemancipated minor? Incidental Disclosures Are covered entities required to document incidental disclosures permitted by the HIPAA Privacy Rule, in an accounting of disclosures provided to an individual? Is a covered entity required to prevent all incidental uses or disclosures of PHI? Workers Compensation If a State law says that a covered entity may disclose records, relating to the treatment provided to an injured worker, to a workers' compensation insurer for purposes of determining the amount of or entitlement to payment under the workers' compensation system is the covered entity permitted to disclose this information under the HIPAA Privacy Rule? Notice of Privacy Practices Is it sufficient to provide a new enrollee with a notice of privacy practices only upon enrollment? Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices? Are covered entities permitted to give individuals a layered notice? Are group health plans required to make a good faith effort to obtain from their enrollees a written acknowledgement of receipt of the notice? Does a group health plan have to provide a copy of its notice to each dependent receiving coverage under a policy?... 16

6 53. Is a group health plan required to periodically notify enrollees about the availability, and how to obtain a copy, of its Notice of Privacy Practices? Security Rule Why is the purpose of the HIPAA Security Rule? Who is required to comply with the Security Rule? Does the Security Rule apply to written and oral communications? Do the standards of the Security Rule require use of specific technologies? What is a security standard? What is an implementation specification? What is the difference between addressable and required implementation specifications in the Security Rule? What does the Security Rule mean by administrative safeguards? What does the Security Rule mean by physical safeguards? What does the Security Rule mean by technical safeguards? Is the use of encryption mandatory in the Security Rule? What is encryption? Do the Security Rule requirements for access control, such as automatic logoff, apply to employees who telecommute or have home-based offices if the employees have access to electronic PHI (e-phi)? Does the Security Rule allow for sending electronic PHI (e-phi) in an or over the Internet? If so, what protections must be applied? Under the Security Rule, must plan sponsors report security incidents to the group health plan? If so, what types of incidents must be reported and what level of detail is required? Are we required to certify our organization s compliance with the standards of the Security Rule? How does a covered entity know if it is compliant with the Security Rule s requirements? Does the Security Rule allow a covered entity to network computers - i.e., connect two computer systems, either within the covered entity, or between two covered entities or between a covered entity and its business associate(s) so that they can exchange information directly? Disposal of PHI and Media Containing PHI What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of PHI?... 20

7 73. May a covered entity dispose of PHI in dumpsters accessible by unauthorized individuals or by the public? May a covered entity hire a business associate to dispose of PHI? May a covered entity reuse or dispose of computers or other electronic media that store electronic PHI? Breaches Do all impermissible uses and disclosures of PHI constitute a breach? In the event of an impermissible use or disclosure of PHI, what should I, as a covered entity do to make the appropriate determination of whether a breach did in fact occur? How can PHI be secured? If a covered entity experiences a breach of unsecured PHI, who must be notified? If a covered entity does experience a breach, when will it be required to notify affected individuals and what information must be contained in the notification? Other than notifying affected individuals that their PHI may have been involved in a breach, does a covered entity need to notify governmental authorities or local media outlets? Preemption of State Law When is a State law "contrary" to the HIPAA Privacy or Security Rule? When is a State law "more stringent" than the HIPAA Privacy or Security Rule? A State law provides greater privacy protections on patients HIV information than the HIPAA Privacy Rule. Is this more protective State law preempted by the Privacy Rule? Penalties for HIPAA violations Compliance for all these requirements appears daunting, what could happen if a covered entity does not make a good faith effort to comply?... 25

8 General 1. Does HIPAA protect all personal information or only personal health information? Actually, neither. HIPAA only covers protected health information (PHI). PHI is all "individually identifiable health information" in any form or media, electronic or non-electronic that is held or transmitted by a covered entity such as a group health plan, including oral communication. PHI includes electronic PHI (ephi), which is PHI that is transmitted or maintained in electronic media. The Security Rule specifically relates to ephi. The Privacy Rule and Breach Notification requirements apply to all PHI. "Individually identifiable health information" is information, including demographic data, created or received by a health care provider, health plan, or health care clearinghouse, that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for health care to an individual, and that identifies an individual (or could reasonably be used to identify an individual). If information is "de-identified," then it is not PHI and not covered by the HIPAA Privacy and Security Rules. De-identified information is that which does not identify any individual and for which there is no reasonable basis to believe that the information can be used to identify an individual. In order to be deidentified the following specific data elements must be removed: Names All geographic information relating to subdivisions smaller than a state, except for the initial three digits of zip codes as long as all zip codes with the same initial three digits that have fewer than 20,000 are grouped into a single 000 zip code All elements of dates except year for dates directly related to an individual e.g., birth date or admission date and information indicative of age Telephone numbers Fax numbers addresses Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) addresses Biometric identifiers, including finger and voice prints Full-face photographic images and any comparable images Any other unique identifying number, characteristic, or code. 2. Who must comply with HIPAA? HIPAA Rules apply to covered entities and business associates. 1

9 3. Who is a covered entity? Covered entities are: Health plans; Health care clearinghouses; Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Department of Health and Human Services (HHS) under HIPAA, such as electronic billing and fund transfers. Health plans includes group health plans regardless of the type of employer sponsoring the plan private, governmental or church. It also includes insurance companies, service organizations such as Blue Cross and HMOs when they are providing health insurance. Covered entities are bound by the privacy standards even if they contract with others (called business associates ) to perform some of their essential functions. 4. Who are business associates? Business associates are persons that perform, or assist a covered entity in performing, an activity that involves the use or disclosure of PHI or who provide certain services to or for a covered entity. Key to this definition, though, is that the service in question must involve the use of PHI. Business associates of a group health plan may include TPAs; independent medical reviewers and UR entities; PBMs; vendors performing payroll services or data processing; vendors who administer COBRA, flexible benefit plans, dental or vision plans or certain disease management programs, and health insurance brokers and agents. Employees of a covered entity are not business associates. Employers and other plan sponsors (such as a board of trustees) are not business associates either, nor is the union that represents workers covered under the group health plan. Insurance companies are a covered entity under an insured health plan. Under a self-funded health plan where the insurance company functions as the TPA by providing claims and other services, the insurance company is a business associate not a covered entity. Covered Entity 5. Since business associates are governed by HIPAA is it necessary for a covered entity to have a contract with its business associates? Yes, even though both entities are directly covered by the Privacy Rule, the covered entity still needs to create an agreement to govern the activities that involve the use of the PHI. This agreement is called a business associate agreement. All business associate agreements must include: Provisions requiring the business associate to not use or disclosure PHI except as required or permitted by the Privacy Rule. Provisions requiring business associates to comply with the HIPAA Security Rule. Provisions requiring business associates to report any impermissible use or disclosure of PHI, including any incident involving unsecured PHI that may constitute a breach to covered entities. 2

10 Provisions requiring business associates to obtain satisfactory assurances that subcontractors agree to comply with the underlying business associate agreement conditions and restrictions as applied to PHI. Make available PHI in a designated record set to the covered entity so that the covered entity can comply with its Privacy Rule obligations. Make any amendments to PHI in a designated record set as directed or agreed to by the covered entity. Make its internal practices, books and records available to the HHS for the purpose of determining compliance with HIPAA rules. HIPAA's business associate provisions also apply to a business associate s subcontractors (persons or entities that provide services to a business associates which involves PHI to fulfill its contractual duties) if the subcontractors create, receive, maintain, or transmit PHI on behalf of business associates. Subcontractors need only have the ability to access to PHI to become business associates; they do not need to access the information. Regulations include an example of a document shredding company hired by a TPA. The document shredding company is a business associate because it has the ability to access the PHI even if it does not access the information. Sample business associate agreement provisions are available on the Department of Health and Human Services website. 6. Is a covered entity liable for, or required to monitor, the actions of its business associates? Maybe. The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements with business associates which protect the privacy of PHI; but covered entities are not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract. Nor is the covered entity responsible or liable for the actions of its business associates. Business associates will be directly liable for civil money penalties for their violations of the HIPAA Rules. However, if a covered entity is aware of an activity or practice that constitutes a material breach or violation, the covered entity is required to take steps to cure the breach or end the violation and if those steps are not successful, terminate the contract. However, covered entities must be cognizant of the actions of their business associates that are also its agents. 7. If a covered entity has a compliant business associate agreement with a business associate that is a business associate agent, is the covered entity permitted to rely solely on the business associate agreement for the business associate s compliance? No. Covered entities and business associates will be liable for the acts of their business associate agents (in this context, agent is not the same as insurance agency. See next paragraph for definition of agent ), regardless of whether the covered entity has a compliant business associate agreement in place. This is to ensure that where a covered entity or a business associate has delegated out an obligation under the HIPAA Rules, the covered entity or business associate remains liable for penalties associated with the failures of its business associate agent to perform the obligations on the covered entity or business associate s behalf. 3

11 The determination of whether an agency relationship exists between a covered entity and its business associate (or business associate and its subcontractor) will be made under Federal common law principles. The essential factor in this determining is the right or authority of a covered entity to control the business associate s conduct in the course of performing a service on behalf of the covered entity. 8. Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule? No. A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements of the Privacy Rule. 9. Are all health plans considered covered entities and therefore subject to HIPAA? No. Health plans covered by the HIPAA Rules include group health plans, health insurers, service organizations such as Blue Cross, HMOs, insurers of long-term care policies (other than nursing home fixed indemnity policies), multiemployer health plans, multiple employer health plans, and any other individual and/or group plans providing or paying for the cost of medical care. The HIPAA requirements also apply to most government plans such as Medicare, Medicaid, Tricare and State Children s Health Insurance Plans. Unlike the HIPAA Portability rules and PPACA, this definition includes medical, dental, vision, hearing, prescription drug, medical flexible spending account plans, health reimbursement accounts, many wellness programs and employee assistance plans (except those that provide referral services only). It also includes on-site clinics. Health savings accounts are generally not health plans and are not subject to HIPAA. A group health plan that has less than 50 participants and is administered solely by the employer that established and maintains the plan is not subject to the HIPAA Privacy and Security Rules. For this definition participant includes all employees or former employees of the employer who are or may become eligible to receive a benefit or whose beneficiaries may be eligible to receive benefits. As a result, if an employer maintains a health care flexible spending account ( FSA ) or health reimbursement arrangement ( HRA ) that is administered by a third party or has 50 or more participants, then that FSA or HRA plan must comply with HIPAA Privacy and Security Rules even if only 25 employees are actually participating in the plan. 10. Is a health care flexible spending account a covered entity for purposes of the Privacy Rule? Yes, unless it has fewer than 50 participants and is self-administered. Employee welfare benefit plans with fewer than 50 participants and that are self-administered are not subject to the HIPAA Privacy and Security Rules. Dependent day care flexible spending accounts are not health plans. 11. Are group health plans required to create and maintain specific documents in order to access, use and disclose PHI? Yes. In order for a group health plan to use and disclose PHI as permitted by the Privacy Rule, the group health plan must have a privacy policy that includes the following provisions: a) An explanation of how the plan may use or disclose PHI including what uses and disclosures are required, which are permitted and which will require an authorization. b) A statement of the individual s rights such as the opportunity to inspect and copy and inspect their own PHI, the opportunity to request an amendment to their PHI (although the plan is 4

12 generally not required to agree), the opportunity to request a restriction on the disclosure of their PHI (although the plan is not required to agree), and the right to an accounting of disclosures not made as part of treatment, payment or health care operations or in response to an authorization. c) The identity of the privacy official (title), contact information and procedures for complaints, and a statement concerning sanctions for violations of the privacy policy, d) A statement that the group health plan will not intimidate, threaten, coerce, discriminate against or take other retaliatory action against individuals for exercising their HIPPA rights. e) A statement that the plan will mitigate, to the extent possible, any harmful affects that become known to the plan from a use or disclosure that violates the privacy rules and a statement that affected individuals will be notified in the event of a breach of unsecured PHI. f) A statement that the group health plan will make the plan's internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Resources for compliance purposes. g) A statement that the group health plan will ensure that adequate separation exists between employees who are authorized to use PHI and those who are not; describe those employees or classes of employees to be given access to the PHI; restrict the access to and use of PHI to these employees; and provide an effective mechanism for resolving any issues of noncompliance by persons who have access to PHI. In addition, in order for the group health plan to disclose PHI to the plan sponsor the group health plan must obtain a written certification from the plan sponsor that the plan sponsor agrees to: a) Not use or further disclose PHI other than as permitted or required by the plan documents or as required by law; b) Ensure that any agents, to whom it provides PHI agree to the same restrictions and conditions that apply to the plan sponsor; c) Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit plan of the plan sponsor; d) Report to the group health plan any use or disclosure of PHI that is inconsistent with the permitted or required uses or disclosures. 12. Is a group health plan sponsor a covered entity under HIPAA? No. Employers are not covered entities. Covered entities under HIPAA are health care clearinghouses, most health care providers, and health plans. A group health plan is one type of health plan and is a covered entity (except for self-administered plans with fewer than 50 eligible participants). The group 5

13 health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. However, the Privacy Rule does control the conditions under which the group health plan may share PHI with the employer (or plan sponsor if not the employer) when the information is necessary for the plan sponsor to perform certain administrative functions on behalf of the group health plan. Among these conditions is receipt of a certification from the employer or plan sponsor that the health information will be protected as required by the Privacy Rule, will not be used for other benefit plans without authorization from the individual who is the subject of the PHI, and will not be used for employment-related actions. 13. If an employer that offers a fully insured group health plan is the fully insured group health plan subject to all of the Privacy Rule provisions? The Privacy Rule recognizes that certain fully insured group health plans may not need to satisfy all of the requirements of the Privacy Rule since these responsibilities will be carried out by the health insurer, service organization or HMO with which the group health plan has contracted for coverage. For example, a fully insured group health plan that does not create or receive PHI, but only receives summary health information and enrollment or disenrollment information, is not required to provide a notice of privacy practices. Fully insured group health plans are exempt from most of the administrative responsibilities under the Privacy Rule. These health plans are still required to refrain from intimidating or retaliatory acts and from requiring an individual to waive their privacy rights. However, if these plans want to assist employees with claims questions, the plan administrator will need to obtain a written authorization from the individual who is the subject of the PHI since resolving claims questions will virtually always involve disclosure of PHI. Business Associates 14. Is an entity that is acting as a third party administrator to a group health plan a covered entity? No, providing services to or acting on behalf of a health plan does not transform a third party administrator (TPA) into a covered entity. Generally, a TPA of a group health plan would be acting as a business associate of the group health plan. An insurance company that is acting as a TPA to a self-funded group health plan is a business associate with respect to that particular health plan. The same insurance company will be a covered entity to a group health plan where it provides health insurance. 15. May a covered entity share PHI directly with another covered entity's business associate? Yes. If the HIPAA Privacy Rule permits a covered entity to share PHI with another covered entity, the covered entity is permitted to make the disclosure directly to a business associate acting on behalf of that other covered entity. 16. Is a health insurance company, service organization such as Blue Cross or HMO that provides health insurance to a group health plan a business associate of the group health plan? A health insurance service organization such as Blue Cross that is providing health insurance to a group health plan is a covered entity with respect to that group health plan. The relationship between the group health plan and the health insurer, service organization or HMO is defined by the Privacy Rule as an organized health care arrangement (OHCA), with respect to the individuals they jointly serve or have 6

14 served. Thus, these covered entities are permitted to share PHI that relates to the joint health care activities (operations) of the OHCA. However, where a group health plan contracts with a health insurance insurer or HMO to perform functions or activities or to provide services that are in addition to or not directly related to the joint activity of providing insurance, the health insurance insurer or HMO may be a business associate with respect to those additional functions, activities, or services. 17. Is a physician or other health care provider a business associate of a health plan or other payer? Generally, providers are covered entities not business associates. However, a business associate relationship could arise if the health care provider is performing another function on behalf of the group health plan such as providing claims review or case management services. 18. Is a reinsurer or stop loss carrier a business associate of a health plan? Generally, no. A reinsurer or stop loss carrier does not become a business associate of a health plan simply by selling a reinsurance policy to a health plan and paying claims under the reinsurance policy. If the reinsurance or stop loss contract is not a health insurance contract, then the reinsurer or stop loss carrier is not a covered entity. However, a business associate relationship could arise if the reinsurer is performing a function on behalf of, or providing services to, the health plan that do not directly relate to the provision of the reinsurance benefits. 19. Is a software vendor a business associate of a covered entity? The mere selling or providing of software to a covered entity does not give rise to a business associate relationship if the vendor does not have access to the PHI of the covered entity. If the vendor needs access to the PHI of the covered entity in order to provide its service, the vendor would be a business associate of the covered entity. For example, a software company that hosts the software containing PHI on its own server or accesses PHI when troubleshooting the software function is a business associate of a covered entity. In these situations, a covered entity would be required to enter into a business associate agreement before allowing the software company access to PHI. 20. Is a business associate agreement required with organizations or persons where inadvertent contact with PHI may result - such as in the case of janitorial services? A business associate agreement is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of PHI, and where any access to PHI by such persons would be incidental, if at all. Generally, janitorial services that clean the offices or facilities of a covered entity are not business associates because the work they perform for covered entities does not involve the use or disclosure of PHI, and any disclosure of PHI to janitorial personnel that occurs in the performance of their duties (such as may occur while emptying trash cans) is limited in nature, occurs as a by-product of their janitorial duties, and could not be reasonably prevented. If a service is hired to do work for a covered entity where disclosure of PHI is not limited in nature (such as routine handling of records or shredding of documents containing PHI), it likely would be a business associate. However, when such work is performed under the direct control of the covered entity (e.g., on 7

15 the covered entity s premises), the Privacy Rule permits the covered entity to treat the service as part of its workforce, and the covered entity need not enter into a business associate agreement with the service. 21. Would business associate agreements in electronic form, with an electronic signature, satisfy the HIPAA Privacy Rule's business associate agreement requirements? Yes, assuming that the electronic contract satisfies the applicable requirements of State contract law. The Privacy Rule generally allows for electronic documents, including business associate agreement, to qualify as written documents for purposes of meeting the Privacy Rule s requirements. 22. Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices? No. However, a covered entity must ensure through its contract with the business associate that the business associate's uses and disclosures of PHI and other actions are consistent with the covered entity's privacy policies, as stated in covered entity's notice. Also, a covered entity may use a business associate to distribute its notice to individuals. 23. If the only PHI a business associate receives is a limited data set, does the HIPAA Privacy Rule require the covered entity to enter into both a business associate agreement and data use agreement with the business associate? No. Where a covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function, the covered entity satisfies the Privacy Rule s requirements that it obtain satisfactory assurances from its business associate with the data use agreement. The covered entity must obtain a data use agreement from the business associate which must: (1) describe how the business associate is permitted to use and/or disclose the information which must be consistent with the Privacy rules; (2) establish who is permitted to use or receive the data set; (3) provide that the business associate will not further use or disclose the data set except as permitted by the agreement or required by law; (4) that is will notify the covered entity of any impermissible use or disclosure of which is becomes aware; and (5) it will not contact the individuals involved. A limited data set is data is deidentified information which may also contain certain zip code and/or date information. Permitted and Required Disclosures of PHI 24. When does the Privacy Rule require a covered entity such as a group health plan to disclose PHI? The Privacy Rule requires group health plans to disclose PHI only in two instances: 1. to the individual who is the subject of the PHI when the individual requests it, and 2. to the Secretary of the Department of Health and Human Services when the Secretary is undertaking a compliance investigation or review or enforcement action. 25. When is a covered entity such as a group health plan permitted to disclose PHI? A group health plans is prohibited from "using" or "disclosing" PHI except: With written authorization from the individual who is the subject of the PHI (this may not be the employee); or As explicitly permitted by the Privacy Rule; or 8

16 As required by the Privacy Rule. Health information is "used" when shared within the entity that holds the information (internal), while health information is "disclosed" when it is shared outside the entity (external). However, with the exception of psychotherapy notes and HIV antibody and antigen testing and treatment information, a group health plan with proper plan language in its documents does not need to obtain an individual's consent for the use and disclosure of PHI for payment or health care operations (or treatment for on-site clinics.) A group health plan may not use or disclose genetic information for underwriting purposes even if the individual signs an authorization for such purposes. This prohibition applies regardless of when or where the genetic information originated. 26. What actions must a plan sponsor take regarding permitted uses and disclosures? The plan sponsor will need to limit the employees who may access or use PHI to only those employees performing group health plan administrative functions (i.e., payments and health care operations). The plan sponsor may designate a class of employees (e.g., all employees assigned to a particular department) or individual employees. The plan sponsor may identify these employees in whatever way best reflects the plan sponsor's business needs as long as participants can reasonably identify who will have access. For example, persons may be identified by naming individuals' job titles (e.g., Director of Human Resources), functions (e.g., employees with oversight responsibility for the TPA), divisions of the company (e.g., Employee Benefits Department) or other entities related to the plan sponsor. 27. Assuming a use or disclosure is authorized, required or permitted, are there any limitations on the use or disclosure of PHI under these circumstance? Even when the group health plan may use or disclose PHI in accordance with the Privacy Rule, the group health plan must make reasonable efforts to limit PHI to the "minimum necessary" to accomplish the intended purpose of use, disclosure, or the request for PHI. The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. The group health plan must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. For routine uses of information, the Privacy Rule permits a group health plan to adopt general procedures for determining what the minimum necessary information is, then applying the general procedures. For example, a group health plan may take two steps: 1) identify persons or classes of persons in its workforce who need access to PHI to carry out their duties and job responsibilities; and 2) for each person or classes of persons, identify the category or categories of PHI to which access is needed and any conditions appropriate to that access. For example, a group health plan could develop procedures that allow certain employees or classes of employees unrestricted access to aggregate claims information for rating/accounting/budgeting purposes. However, the procedures could require approval from the departmental manager to obtain an individual's specific identifiable claims records to determine the cause of the claims that can influence the rates/accounting/budgeting decisions. 9

17 HIPAA also requires a covered entity to limit the use, disclosure, or request of PHI, to the extent practicable, to the limited data set or, if the covered entity needs additional information, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively. A limited data set excludes 16 types of identifiers such as name, social security number, address, address, and telephone number, but may include certain zip code and/or date information. Minimum Necessary Standard 28. Does the minimum necessary standard apply to all uses and disclosures? The minimum necessary standards of the Privacy Rule do not apply to the following: a) Disclosures to or requests by a heath care provider for treatment purposes. b) Disclosures to the individual who is the subject of the information. c) Uses or disclosures made pursuant to an authorization. d) Disclosures to the HHS when disclosure is required under the rule for investigation, compliance review or enforcement purposes. e) Uses or disclosures that are required to comply with the Privacy Rule or by other federal law. 29. Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity's business associate as the minimum necessary? A business associate agreement must limit the business associate s uses and disclosures of, as well as requests for, PHI to be consistent with the covered entity s minimum necessary policies and procedures. A covered entity is permitted to reasonably rely on such requests from a business associate as the minimum necessary. 30. How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose? The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the Privacy Rule requires covered entities to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not an absolute standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the reasonable practices to limit the unnecessary sharing of health information. 10

18 31. Is a covered entity required to apply the HIPAA Privacy Rule's minimum necessary standard to a disclosure of PHI it makes to another covered entity? Covered entities are required to apply the minimum necessary standard to their own requests for PHI. One covered entity may reasonably rely on another covered entity s request as the minimum necessary; it does not need to engage in a separate minimum necessary determination. However, if a covered entity does not agree that the amount of information requested by another covered entity is reasonably necessary for the purpose, it is up to both covered entities to negotiate a resolution of the dispute as to the amount of information needed. 32. Must the HIPAA Privacy Rule's minimum necessary standard to be applied to uses or disclosure that are authorized by an individual? No. Uses and disclosures that are authorized by the individual are exempt from the minimum necessary requirements. For example, if a covered health care provider receives an individual s authorization to disclose medical information to a life insurer for underwriting purposes, the provider is permitted to disclose the information requested on the authorization without making any minimum necessary determination. However, the authorization must meet all statutory requirements. Individual rights with respect to their own PHI 33. Does the HIPAA Privacy Rule require a covered entity or business associate to provide individuals with access to their PHI or an accounting of disclosures, or an opportunity to amend PHI? The Privacy Rule generally requires covered entities, not business associates to provide individuals with access to their PHI, an opportunity to request an amendment to or restrict disclosures of PHI, and an accounting of PHI that is disclosed other than for treatment, payment or health care operations or in response to a written authorization... This may include information in a designated record set held by a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity. Therefore, the Privacy Rule requires covered entities to specify in the business associate agreement that the business associate must make such PHI available if and when needed by the covered entity to provide an individual with access to the information. However, the Privacy Rule does not prevent the parties from agreeing through the business associate agreement that the business associate will provide access to individuals, as may be appropriate where the business associate is the only holder of the designated record set, or part thereof. If a covered entity is amend PHI about an individual in a designated record set, it must amend the PHI in all designated record sets it maintains that contain that PHI and any designated record sets (or copies thereof) held by a business associate. Therefore, the Rule requires covered entities to specify in the business associate agreement that the business associate must amend PHI in such records (or copies) when requested by the covered entity. The covered entity itself is responsible for addressing requests from individuals for amendment and coordinating such requests with its business associate. However, the Privacy Rule also does not prevent the parties from agreeing through the contract that the business associate will receive and address requests for amendment on behalf of the covered entity. The Privacy Rule requires a covered entity to provide an accounting of certain disclosures, including certain disclosures by its business associate, to the individual upon request. This accounting does not need to include disclosures for treatment, payment or health care operations. The business associate agreement must provide that the business associate will make such information available to the covered entity in order 11

19 for the covered entity to fulfill its obligation to the individual. As with access and amendment, the parties can agree through the business associate agreement that the business associate will provide the accounting to individuals, as may be appropriate given the PHI held by, and the functions of, the business associate. 34. Does the right to access PHI provide an individual with unlimited ability to access his or her PHI? In general, no. Covered entities such as group health plans must give individuals the opportunity to inspect and/or obtain copies of their PHI. Only information held in the group health plan's "designated record set" must be made available. A designated record set includes information such as medical records, billing records, enrollment, payment, claims adjudication, case or medical management record systems or records used to make decisions about individuals. There are exceptions to this requirement, however, including information maintained in psychotherapy notes and information compiled for use in a civil, criminal, or administrative action. In the case of the exceptions, group health plans may deny individual's access to their PHI without providing the individual with an opportunity for review. If the individual indicates in writing, to direct the covered entity to transmit a copy of his or her PHI (or ephi) directly to a specific entity or person named by the individual, the covered entity must transmit the information to that individual. The request to send PHI to another individual must be clear and specify to whom the PHI is to be transmitted. A covered entity that uses or maintains PHI in an electronic format must allow the covered individual to obtain a copy of his or her PHI in an electronic format. The information must be provided in the electronic format requested by the individual if it is readily producible in the requested format. If it is not readily producible in the requested format, it may be provided in another mutually agreeable electronic format. Electronic formats could include Word, Excel, PDF or similar. The information must be provided within 30 days; however, the covered entity may under certain circumstances have an additional 30 days. The covered entity may impose a fee for providing the individual with a copy of his or her information (or a summary or explanation of the information) if the copy (or summary or explanation) is in an electronic form. The fee may not exceed the covered entity's labor costs to respond to the request for the copy (or summary or explanation). It may, however, include the cost of certain electronic media such as flash drives or CDs if the information is provided on those media. 35. Does the individual have the right to request that his or her PHI be amended? Yes. A group health plan must permit individuals to request an amendment to their PHI held in the group health plan's designated record set for as long as the group health plan maintains the PHI. A group health plan may, however, deny an individual's request for amendment or correction if the information is accurate and complete or if the group health plan determines that the PHI was (a) not created by the group health plan, (b) is not part of the designated record set, or (c) not available for the individual's inspection. Since PHI such as medical records is not created by group health plans but, rather, is created by health care providers, the amendment process should not have a significant effect on group health plans (the same would generally apply to records such as claims files maintained by a health insurance insurer or TPA). 36. Must a group health plan agree to an individual s request to restrict uses and disclosure of the individual s PHI? No. Group health plans must permit individuals to request restrictions on: (a) the uses and disclosures of their PHI for treatment, payment or health care operations and (b) certain disclosures to family members, other relatives, close personal friends or others identified by the individual. For instance, an individual 12

20 may request a restriction regarding disclosures to family members. Group health plans are not required to agree to the requested restrictions, however, and may deny the request for any reason. If the group health plan agrees to a requested restriction, the group health plan may not use or disclose PHI in violation of the restriction, except in the case of emergency treatment where the restricted PHI is needed to provide the emergency treatment. If the restricted PHI is disclosed to a health care provider for emergency treatment, the group health plan must request that such health care provider not further use or disclose the information. Health care providers (but not other covered entities) must comply with a requested restriction if: (a) the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment) unless otherwise required by law; and (b) the PHI relates solely to a health care item or service for which the health care provider involved has been paid out-of-pocket and in full. For example, if a covered individual pays a healthcare provider for a service out-of-pocket and in full, the healthcare provider may not release the information to the group health plan if the covered individual has asked that the information be restricted. 37. Does the right to an accounting mean that group health plans must provide an individual with a complete accounting of all disclosures of that individual s PHI from the very first disclosure through the date of the request? No. Upon request, individuals have a right to receive an accounting of instances where their PHI is disclosed by the group health plan or by one of the plan's business associates (such as the TPA). The Privacy Rule does not require accounting for certain disclosures, the more common of which are disclosures: (a) for carrying out treatment, payment or healthcare operations, (b) to the individual or the individual's personal representative, (c) pursuant to an authorization, and (d) for notification of or to persons involved in an individual's care. This right applies to disclosures made in the six years prior to the date on which the accounting of the disclosure is requested (three years under proposed regulations.) Group health plans must have procedures to give individuals an accurate accounting of the disclosures. Such accounting must include the following: (a) the date of each disclosure; (b) the name and address of the organization or person who received the PHI; (c) a brief description of the information disclosed; and (d) for disclosures other than those made at the request of the individual, the purpose for which the information was disclosed. The accounting must be provided as soon as possible, but no later than 60 days after receipt of the request. If the information is maintained offsite, the group health plan may have a one-time extension of 30 days providing the individual is notified of the delayed and date PHI will be provided within the initial 60-day period. (Proposed regulations would decrease the 60-day period to 30 days.) 38. Must a group health plan accommodate all requests to communicate with an individual in a confidential manner? No. Individuals have the right to request that a group health plan communicate to them regarding their PHI either by an alternative means or at an alternative location, if such requests are reasonable. "Reasonableness" is based upon the administrative difficulty in accommodating the request, not on the perceived merits of the request. A group health plan must accommodate such reasonable requests only if the individual clearly states that disclosing all or part of the information could put him or her in danger. 13