HIPAAdvisor: Q & A with Steve Fox

Business Partners & Paper Formats

Question: We are a regional payer organization with subsidiaries in multiple states. We've just finished our HIPAA readiness assessment, and this anomaly came up. One of our subsidiaries purchases medical stop-loss reinsurance from another one of our subsidiaries. The reinsurer is licensed for life and casualty lines only, so it is not a HIPAA-covered entity. However, when a stop-loss claim is made, the health insurer provides detailed claim information to the reinsurer.

1. Does this make the reinsurer a trading partner, and hold that organization to HIPAA security and privacy standards?

2. Would it make any difference if all of the information were transmitted in paper or fax format?

Answer: As noted by the writer, a life insurance company is not directly covered by HIPAA. However, it sounds as if the reinsurer is a trading (or business) partner under the security standards and/or a business partner under the privacy standards.

A trading partner is an entity contractually bound (in a chain of trust partner agreement) to electronically exchange data for processing and to protect the integrity and confidentiality of the transmitted data. Generally, trading partners will be clearinghouses, payers or other entities involved in the claims payment process.

A business partner, as that term is used in the privacy standards, refers to an agent, contractor, person or other entity to whom "protected health information" is disclosed for the purpose of carrying out, assisting or performing a function or activity on behalf of the covered entity. This includes third-party administrators, researchers, public health officials, life insurance issuers, employers and marketing firms.

So, in answer to your first question, the reinsurer in your scenario would be a HIPAA-covered business partner. The regulations as proposed would require a written contract between the covered entity and all business partners. Basically, the contract's purpose is to limit the business partner's use of protected health information to the same uses as permitted for the covered entity, as well as to impose certain security, inspection and reporting requirements on the business partner.

To understand the meaning of "protected health information", look at the definition of "individually identifiable health information" -- any information created or received by a health care provider, health plan, employer or health care clearinghouse, that relates to an individual's past, present or future condition, treatment or payment for health care services and which identifies the individual.

"Protected health information" is any health information that is or has been electronically maintained or transmitted by a covered entity, even if it subsequently takes any other form. In other words, information that has ever existed in an electronic state remains protected if it is later converted to paper or some other media.

Therefore, in answer to your second question, transmission of the individually identifiable health information in paper or fax format will not place it beyond HIPAA's scope, if the information has ever been electronically collected, stored, maintained, used or transmitted.

Read past HIPAA Legal Q/A articles.

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.