Employee Health Benefit Plans: The Forgotten Covered Entity

By William A. MacBain and Lisa B. MacBain
MacBain & MacBain, LLC

Organizations across the nation are working overtime to determine their HIPAA liability and to quickly remediate with appropriate changes in behavior and documentation. In the midst of all of this activity, it must be remembered that Federal HIPAA administrative simplification regulations treat employee health benefits plans as separate legal entities, distinct from their employer sponsors. Depending on how these health plans provide their benefits, they may be subject to some, or all, of the administrative simplification regulations.

Eligibility Considerations

Under the HIPAA privacy regulations, an employee health benefit plan and the employer, as plan sponsor, are considered separate legal entities. This is consistent with the treatment of employee welfare benefit plans under the Employee Retirement Income Security Act (ERISA). If the employee health benefit plan has 50 or more participants or if it is administered by a third party, it is considered a "group health plan" in the HIPAA regulations. If the employee health benefit plan meets this definition of a group health plan, it is considered a "covered entity" and is subject to HIPAA administrative simplification regulations. This includes regulations regarding standard transactions and codes sets, privacy, and security when the final security rules are published. A group health plan that provides all of its benefits through insurance contracts with health insurance companies or HMOs, does not need to comply with many of the administrative requirements of HIPAA, but it is still considered a covered entity and is subject to all other provisions of the regulations. However, if the group health plan provides any benefits on some other basis, rather than through insurance contracts, it is subject to all of HIPAA, just as if it were a commercial insurance company.

Sharing Protected Health Information Between A Group Health Plan and Sponsor

Plan documents will need to be modified if any employees of the employer that sponsors the group health plan receive any protected health information (PHI) from the plan, other than eligibility verification and summary health information. This includes receiving protected health information from the group health plan's business associates, such as a TPA or pharmacy benefit manager. See 45 CFR A § 164.504(f) Requirements for group health plans.

The relationship defined by HIPAA among the group health plan, the plan sponsor, a TPA, and other entities, can be confusing. When employees of the plan sponsor perform plan administration duties, their access to the group health plan's PHI is considered a disclosure of PHI from the group health plan to the plan sponsor. When employees of a TPA under contract to the group health plan have access to the group health plan's PHI, this is considered a disclosure of the PHI to the group health plan's business associate. Similarly, when plan administration is carried out by employees of the group health plan (example: Taft-Hartley trust), their access to PHI is a use of the group health plan's PHI. If the TPA's employees, or group health plan employees, provide PHI to the plan sponsor, this is also a disclosure of the PHI to the plan sponsor.

Disclosure of PHI to the plan sponsor is only allowed if the plan documents are amended. There are two exceptions: summary health information and enrollment information. Summary health information and enrollment information are PHI, but they may be disclosed to the plan sponsor even if the plan documents have not been amended. For HIPAA purposes, summary health information means information about individual participants in a group health plan that summarizes claims history, claims expenses, or type of claims experienced by those participants; and which has been de-identified, except that the information may be aggregated by 5-digit zip code instead of 3-digit zip code. Enrollment information is information determining whether an individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan to the plan sponsor.

Few organizations that sponsor a self-funded employee health plan can erect an impermeable barrier between the employer, as plan sponsor, and PHI in the custody of the group health plan - even if the plan is administered by a TPA. A careful review of information received from the TPA is recommended before concluding that the sponsor of a self-funded health plan can forego the HIPAA plan document amendments. This should include both routine reports and occasional information requests. Even in insured experience-rated plans, the plan sponsor may want to reserve the right to review high cost claims or other forms of PHI - and, thus, may want to amend the plan documents to allow these disclosures.

Amending Employee Welfare Benefit Plan Documents: Protecting the Privacy of Employee PHI When the Plan Sponsor is a Health Care Provider

HIPAA privacy regulations do not address the exchange of PHI between a group health plan and its plan sponsor, when the sponsor is also a covered health care provider, and the exchange is part of the normal commerce between a provider and a health plan.

For example, it would be normal for a health plan to send a remittance advice to a provider. However, if the provider is also the plan sponsor, and the health plan is the group health plan which the provider sponsors, a literal reading of the regulations would prohibit this practice. See 45 CFR § 164.504(f)(2)(iii)(B). The rules regarding disclosures of PHI by a group health plan to its plan sponsor restrict the sponsor's access to and use of group health plan PHI, to only the plan administration functions that the sponsor performs for the group health plan.

This literal reading would interfere with the ability of the sponsor, in its capacity as a provider, to receive PHI from its own group health plan for purposes related to its function as a provider.

One suggested approach is to treat such interactions under the same rules as apply to all other provider-health plan interactions, and to view this as something apart from the group health plan-plan sponsor relationship. This is consistent with the overall logic of the regulations, in the context of the entire administrative simplification section of HIPAA. However, readers are cautioned that this is an interpretation. This apparent conflict in the regulations points out the necessity for health care providers to use extra care in devising policies, procedures and training for workers who handle the PHI of fellow employees in the course of their duties.

Regardless of the approach taken, PHI will most likely need to be shared between employers, as plan sponsors, and those administering the employee health benefit plan. Compliance dates for documentation and training requirements are the same for all covered entities, including the employee health benefit plan. An exception is employee health benefit plans that paid less than $5 million in claims and insurance premiums in the most recent full fiscal year are considered small health plans, have an extra year to comply with the privacy regulations.

William and Lisa MacBain are principals of MacBain & MacBain, LLC, a health care consulting firm with particular expertise in the HIPAA regulations as they relate to managed care, hospital and health services, and employee benefit health plans.