Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
On July 23, 2009, Littler Mendelson hosted a webinar, entitled “Meeting the Compliance Challenges of a Reinvigorated HIPAA and the Genetic Information Non-Discrimination Act of 2009.” Participants asked several questions to which we could not respond because of time. Below are the questions and the answers:
Q: Could you give a real life example of how an employer might experience an internal HIPAA violation?
A: We explained during the webinar that not all employee health information is protected by HIPAA. In fact, the universe of employee health information which HIPAA protects is relatively small. Protected health information (PHI) is limited to individually identifiable health information created or received by, or on behalf of, a group health, dental, or vision plan; health care reimbursement flexible spending account; employee assistance program; long-term care plan; or pharmacy benefits plan. HIPAA would be violated when, for example, a benefits administrator notices that an employee has submitted claims to an employer’s health plan for services related to an abortion, AIDS, or cancer and gossips with the employee’s manager about the employee’s condition.
Q: Do the HIPAA security breach requirements that you discussed during the webinar apply to employers who have fully insured plans or only to employers who have self-insured plans?
A: Most employers with fully insured plans receive only summary health information and enrollment and disenrollment information from the health insurer. This information is considered protected health information (PHI); however, given the very small amount of PHI that an employer with a fully insured plan receives, the likelihood of a breach involving that information is low. Also, because the insurance company that provides the health insurance is not acting as the employer’s agent, the insurance company, not the employer, would be required to provide the notice for a breach of PHI maintained by the insurer. Fully insured employers should keep in mind that if they do offer a health care reimbursement flexible spending account, they are likely to have a significant amount of PHI on-site, and if a third-party administrator suffers a breach, the employer would be ultimately responsible for ensuring that the plan participants are notified.
Q: How do the HIPAA regulations define the term “business associate,” and what are the requirements for the employer or health care provider if a business associate experiences a security breach?
A: A business associate is a vendor who provides services for a health plan or health care provider using PHI. Some examples of business associates include billing services, debt collection agencies, third-party administrators, insurance brokers, pharmacy benefits managers, accountants, attorneys, and auditors. An employer or health care provider can disclose PHI to a business associate without the subject’s prior authorization but only if there is a written agreement (known as a “business associate agreement”) in place with the business associate. The business associate agreement is required to include at a minimum certain provisions listed in the HIPAA regulations that are intended to protect the confidentiality of PHI and ensure that individuals can exercise their HIPAA-mandated rights with respect to their PHI.
If a business associate experiences a breach, the business associate is required to notify the employer/health plan or the health care provider and identify the plan participants or patients whose PHI has been compromised. Employers and health care providers should consider supplementing this statutory notice requirement through contractual provisions in the business associate agreement that require the business associate to provide additional information about the breach, such as the date it occurred, the date it was discovered, what happened, what steps the business associate took to end the breach, and what steps the business associate will take to prevent a recurrence.
Q: Should we have a business associate agreement with the company that we use to shred protected health information (PHI)? Also, our payroll provider houses information on contributions for our healthcare reimbursement flexible spending account. Should we have a business associate agreement with them?
A: Your organization should have a business associate agreement with that shredding company. Information on contributions to a health care reimbursement flexible spending account is PHI, so your organization also should have a business associate agreement with the payroll provider.
Q: Is de-identified protected health information (PHI) subject to the breach notification requirements?
A: No. Once PHI has been de-identified, the information no longer is protected by HIPAA. As a result, a security breach involving de-identified PHI does not trigger a breach notification obligation. You should note, however, that HIPAA establishes a very high standard for de-identification. The regulations require the removal of all identifiers — including, for example, residential address, telephone number, e-mail address, Social Security number, driver’s license number, health insurance number, and medical records number — not only of the employee or patient but also of the employer and family members.
Q: Does the Genetic Information Non-Discrimination Act of 2009 (GINA) to permit the collection of family medical history for a health risk assessment that is part of an employee wellness program?
A: As we discussed during the webinar, family medical history is “genetic information” subject to GINA. Under GINA, an employer generally is prohibited from deliberately acquiring genetic information, including family medical history. However, GINA does have an exception that permits the collection of genetic information for an employer-provided wellness program. The following requirements must be met for this exception to apply: (a) the employee provides prior, knowing, voluntary, written authorization; (b) only the employee and the license health care professional or certified genetic counselor receives the results of the health risk assessment; (c) the results of the health risk assessment are used only for purposes of the wellness program; and (d) the results are not provided to the employer.
This entry was written by Philip L. Gordon.