Our company sponsors a self-funded medical plan for its employees. We use a TPA to administer the plan. If the TPA complies with HIPAA, have we met our obligation?

No. Although employers are not subject to HIPAA, the health plan is a Covered Entity and
subject to HIPAA. In the plan’s summary plan description (SPD), the health plan should be cited,
e.g. ACME Medical Plan. It’s easy to confuse the employer with the plan, but it’s important to
distinguish those employees and systems with access to information about subscribers of the
plan. Often this includes HR or benefits personnel and may include officers of the company such
as the CFO. Also, any employee with responsibility to maintain computer systems where
subscriber information is held should be considered part of the plan.

What are the Business Associates of a plan?

A Business Associate is any vendor to whom the plan sends Protected Health Information (PHI). Most often, PHI is the demographic information contained on an eligibility file. But in the case of a transition to a new vendor, PHI may also include claims data. TPAs and brokers are the most common business associates of a self-funded plan.

When a Business Associate sends PHI to another entity, is the other entity also a Business Associate?

Yes. If the receiving Business Associate is contracted with the sender Business Associate, then the sender Business Associate initiates the Business Associate Agreement (BAA). If the receiving Business Associate is contacted with the plan, then the plan initiates the BAA with the receiving Business Associate. Example 1: The TPA contracts with a company that shreds paper containing PHI. Both the TPA and the shredding vendor are business associates since they have access to PHI. The TPA must have a Business Associate Agreement as part of its contract with the shredding vendor. Example 2: The TPA sends PHI to a utilization management company on behalf of your plan. Since the utilization management company is receiving PHI, it is a Business Associate. The plan must have a Business Associate Agreement as part of its contract with the utilization management vendor.

Does the self-funded plan or the TPA need to have a Notice of Privacy Practices?

Only the Covered Entity, e.g. the plan, is required to issue a Notice of Privacy Practices. The Notice is permitted to be included in the SPD. It must be distributed at least every three years, or sooner if changes are made.

Our TPA notified us that the PHI of our plan participants was breached. Who is responsible for notifying participants? Who notifies the Office for Civil Rights?

Most TPAs will notify participants. As the plan sponsor, you may wish to include in the Business Associate Agreement that you must approve any notification before it is sent. Keep in mind that HIPAA requires notification to participants without unreasonable delay and within 60 days of discovery of the breach. Since Business Associates are subject to penalties by the Office for Civil Rights, when the TPA experiences a breach, they are responsible for notification. As the plan sponsor, you may ask the TPA for evidence that the breach was reported to OCR.

Are there any states that require notification of breaches?

All states and U.S. territories have data breach laws. The applicable law is based on the residence of the plan participant, including COBRA beneficiaries and retirees. These laws vary from each other significantly with some only applicable to breaches of electronic data while others include paper. There are also differences in the data elements that comprise a breach, timeframe by which to report a breach, what party has responsibility for reporting, and even specific language that must be contained in notification to the plan participant. The National Conference of State Legislatures has links to all of these laws on their website: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

If a plan participant wants copies of their medical claims history, is the plan or TPA required to send the information?

Typically the TPA will respond to such requests since they maintain the claims history. It’s advisable not to have the information sent to the plan since a claims history will contain information that the plan does not routinely have access to, e.g. diagnosis and treatment information. The TPA should be able to provide the participant with a form titled Request to Access that allows the participant to include dates of service, provider names and other information useful for compiling the history. The TPA is permitted to charge a fee for actual supplies, e.g. paper or USB device, if the participant requests to receive the information in that manner.

The TPA will only email PHI if the email is encrypted. Can the plan require the TPA to send email without encryption?

No. A Covered Entity (plan) and Business Associate (TPA) are both subject to the HIPAA Security Rule that requires transmission of PHI be sent in a secure manner. For e-mail, this means that encryption be utilized using either TLS (transport layer security) between the parties or the use of an encryption software. Passwords are not a replacement for encryption according to both state and federal regulators.

Can a participant ask that their claims information be sent to them via unencrypted email?

Yes, however certain steps should be taken. Send an initial email, without PHI, to the participant that confirms their email address is correct. In that email, ask the participant to acknowledge that they accept the risk with sending and receiving unencrypted email. Once they acknowledge, then send the PHI.