HIPAA FAQ FOR PLAN SPONSORS
Our company sponsors a self-funded medical plan for its employees. We use a TPA to administer the plan. If the TPA complies with HIPAA, have we met our obligation?
No. Although employers are not subject to HIPAA, the health plan is a Covered Entity and
subject to HIPAA. In the plan’s summary plan description (SPD), the health plan should be cited,
e.g. ACME Medical Plan. It’s easy to confuse the employer with the plan, but it’s important to
distinguish those employees and systems with access to information about subscribers of the
plan. Often this includes HR or benefits personnel and may include officers of the company such
as the CFO. Also, any employee with responsibility to maintain computer systems where
subscriber information is held should be considered part of the plan.
What are the Business Associates of a plan?
A Business Associate is any vendor to whom the plan sends Protected Health Information (PHI). Most often, PHI is the demographic information contained on an eligibility file. But in the case of a transition to a new vendor, PHI may also include claims data. TPAs and brokers are the most common business associates of a self-funded plan.
When a Business Associate sends PHI to another entity, is the other entity also a Business Associate?
Does the self-funded plan or the TPA need to have a Notice of Privacy Practices?
Only the Covered Entity, e.g. the plan, is required to issue a Notice of Privacy Practices. The Notice is permitted to be included in the SPD. It must be distributed at least every three years, or sooner if changes are made.
Our TPA notified us that the PHI of our plan participants was breached. Who is responsible for notifying participants? Who notifies the Office for Civil Rights?
Are there any states that require notification of breaches?
If a plan participant wants copies of their medical claims history, is the plan or TPA required to send the information?
Typically the TPA will respond to such requests since they maintain the claims history. It’s advisable not to have the information sent to the plan since a claims history will contain information that the plan does not routinely have access to, e.g. diagnosis and treatment information. The TPA should be able to provide the participant with a form titled Request to Access that allows the participant to include dates of service, provider names and other information useful for compiling the history. The TPA is permitted to charge a fee for actual supplies, e.g. paper or USB device, if the participant requests to receive the information in that manner.
The TPA will only email PHI if the email is encrypted. Can the plan require the TPA to send email without encryption?
No. A Covered Entity (plan) and Business Associate (TPA) are both subject to the HIPAA Security Rule that requires transmission of PHI be sent in a secure manner. For e-mail, this means that encryption be utilized using either TLS (transport layer security) between the parties or the use of an encryption software. Passwords are not a replacement for encryption according to both state and federal regulators.
Can a participant ask that their claims information be sent to them via unencrypted email?
Yes, however certain steps should be taken. Send an initial email, without PHI, to the participant that confirms their email address is correct. In that email, ask the participant to acknowledge that they accept the risk with sending and receiving unencrypted email. Once they acknowledge, then send the PHI.