Contacts
This article is the second in a two-part series addressing whether and how the Privacy and Security Rules (the “Rules”) under the Health Insurance Portability and Accountability Act (HIPAA) apply to various legal entities.Part One addressed Covered Entities and appeared in our October 2018 newsletter.This article addresses Business Associates of Covered Entities that are self-insured group health plans.[1]
Quick Recap
Covered Entities are the key stakeholders in the delivery and payment of health care, but they frequently partner with other organizations for assistance. Many of these organizations will need to come into contact with Protected Health Information (PHI) to assist the Covered Entity. Remember, PHI is:
- Information about a past, present, or future health condition, treatment for a health condition, or payment for the treatment of a health condition;
- Identifiable to a specific individual;
- Created and/or received by a Covered Entity or Business Associate acting on behalf of a Covered Entity; and
- Maintained or transmitted in any form.
What's a Business Associate?
In the group health plan context, HIPAA defines a Business Associate as a third party that requires PHI to perform some function or service on behalf of a group health plan. In other words, a third party that helps make your health plan go but needs PHI to do it. The third party might create, receive, store, or transmit[2] the PHI in this role, but it must be “PHI sticky” in at least one of those ways to be considered a Business Associate. Many of HIPAA’s Privacy and Security requirements apply directly to Business Associates.
Yes |
No |
Maybe So |
|
|
|
COBRA Administrators
If a COBRA administrator merely receives enrollment and disenrollment information from the employer (as plan sponsor), the information it receives is not PHI and the COBRA administrator is not technically a Business Associate of the group health plan. The nature and source of the information provided is easily blurred between the employer and group health plan, and it’s common for COBRA administrators to agree to be treated as Business Associates.
The Curious Case of Stop-Loss
The Rules indicate that stop-loss carriers are not Business Associates of a group health plan when the stop-loss policy insures the plan itself. The Rules are less clear about the more likely scenario where the stop-loss policy insures the employer/plan sponsor directly. In practice, stop-loss carriers are often reluctant to be treated as Business Associates and are frequently excluded. We recommend employers enter into robust non-disclosure agreements with stop-loss carriers not treated as Business Associates.
Business Associate Contracts
Your organization’s group health plan is required to enter into a contractual agreement with all of your Business Associates outlining how the Business Associate may use and disclose PHI, how it will secure PHI, and other rights and obligations the parties have under the Rules.[3] The Department of Health and Human Services (DHHS) has provided sample business associate contract language. Among other items, the contract must include language addressing the parties’ responsibilities when unsecured PHI is improperly used or disclosed (a “breach”). Your organization has a limited amount of time to investigate and respond to a breach.
As a practical matter, it is the employer (as plan sponsor) who must secure the contract for all of the plan’s Business Associates, but Business Associates will often supply their version of this contract to the employer without being prompted. It is in each party’s best business interest to use a standardized contract for administrative ease rather than having to honor the commitments of contracts from different sources, so there is a natural tension between the parties who each favor their own contracts. The requirements for a Business Associate contract are pretty standard, but it is not unusual for the contract to be more favorable toward the drafting party or to include additional contractual terms beyond what the Rules require, so it is important to have this reviewed by your legal counsel.
Subcontractors
Sometimes Business Associates contract with other organizations to perform one or more functions the Business Associate was hired to perform for the group health plan (“subcontractors” who are also PHI sticky), and there is no direct relationship between the health plan and the subcontractor. Your Business Associate must represent in the Business Associate contract that they have with your organization that it has a contract in place with its subcontractor that provides for all of the same protections under the Rules with respect to any PHI related to your health plan.
Example – A self-insured medical plan engages a TPA for claims administration and other services. One of these services is claims monitoring to reduce fraud, waste, and abuse. The claims monitoring services are actually provided by a subsidiary of the TPA, and the medical plan does not have a direct contract with the claims monitoring subsidiary. The TPA is a Business Associate of the medical plan. The claims monitoring entity is a Business Associate of the TPA and should be addressed as a subcontractor within the Business Associate contract between the medical plan and the TPA.
Next Steps
You should always know who your Business Associates are and should make sure you have a list of all the current vendors who provide services related to your health plans. Of these vendors, which ones use PHI to perform a function on behalf of a group health plan?
These are your Business Associates, and you should maintain current Business Associate contracts with all of them. Don’t forget to make this an implementation step when adding a new vendor who will be a Business Associate to your health plan(s).
[1] A failure to enter into the contract does not mean the third party is not your Business Associate and just subjects you to potential penalties for non-compliance.
[2] A third party that only transmits PHI without accessing or storing it may qualify for an exception as a mere conduit of the information.
[3] In Part One, we addressed that insurance carriers are the Covered Entities for fully-insured group health plans and that employers/plan sponsors generally have few obligations under the Rules for those plans.
The information contained herein is for general informational purposes only and does not constitute legal or tax advice regarding any specific situation. Any statements made are based solely on our experience as consultants. Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. The information provided in this alert is not intended to be, and shall not be construed to be, either the provision of legal advice or an offer to provide legal services, nor does it necessarily reflect the opinions of the agency, our lawyers or our clients. This is not legal advice. No client-lawyer relationship between you and our lawyers is or may be created by your use of this information. Rather, the content is intended as a general overview of the subject matter covered. This agency is not obligated to provide updates on the information presented herein. Those reading this alert are encouraged to seek direct counsel on legal questions. © 2018 Marsh & McLennan Agency LLC. All Rights Reserved.
Related Offerings
Compliance Support & OversightYou May Also Be Interested In
- Event
12.19.2019
Webinar | Year End Checklist and Future Forecast
- Event
01.15.2020
Webinar | Wellness Programs 2020
- Event
01.23.2020
Seminar | Employment Law Landscape 2020
- Event
02.20.2020
Webinar | Qualifying Life Events & Permitted Election Changes 2020
- Event
03.19.2020
Webinar | HIPAA Privacy and Security Training 2020
- Event
04.16.2020
Webinar | ERISA Basics 2020
- Event
05.21.2020
Webinar | COBRA 2020
- Event
06.18.2020
Webinar | Mid-Year Compliance Review 2020
- Event
07.16.2020
Webinar | Annual Required Notices 2020
- Event
08.20.2020
Webinar | Compliance Considerations When Self-Insuring 2020
- Event
09.17.2020
Webinar | FMLA and Employee Benefits 2020
- Event
10.15.2020
Webinar | Health Savings Accounts 2020
- Event
11.19.2020
Webinar | ACA Reporting Requirements 2020
- Event
12.17.2020
Webinar | Year End Checklist 2020 and Future Forecast 2021
- Blog
12.09.2019
Employer HIRD Form Due on December 15, 2019
- Blog
12.04.2019
Affordable Care Act Reporting Relief Extended for 2019
- Event
11.21.2019
Webinar | ACA Reporting Requirements
- Blog
11.20.2019
IRS Releases Draft 2019 Instructions for Forms 1094/1095
- Blog
11.08.2019
IRS Releases 2020 Limits for FSAs and Other Benefits
- Blog
10.28.2019
Medical Loss Ratio Rebates
- Blog
10.28.2019
The Affordable Care Act’s Employer Mandate: Part 3
- Blog
10.28.2019
All That Glitters is not Gold
- Blog
10.28.2019
California Mandates a Notice Requirement for Flexible Spending Accounts
- Event
10.17.2019
Webinar | Health Savings Accounts
- Blog
10.09.2019
2019 Massachusetts HIRD Form Filing Deadline Approaches
- Blog
10.04.2019
Insurance Carriers Approved for Mass Paid Family Medical Leave Act
- Blog
10.03.2019
INSIGHTS Newsletter
- Blog
09.30.2019
New Health Reimbursement Arrangements Allowed Under Final Rules
- Event
09.19.2019
Webinar | New HRA Options
- Blog
09.19.2019
2020 Employer Affordability Safe Harbor
- Blog
09.18.2019
The Affordable Care Act’s Employer Mandate: Part 2
- Blog
09.17.2019
Medicare Part D Notice Reminder
- Event
08.15.2019
Webinar | Association Health Plans
- Blog
08.12.2019
And in this Corner…the Fight to Expand Association Health Plans Continues
- Blog
07.31.2019
New Guidance on Mass FMLA Payroll Contributions and Wage Withholdings
- Blog
07.22.2019
IRS Expands Definition of Preventive Care for Qualified High Deductible Health Plans
- Event
07.18.2019
Webinar | Annual Required Notices
- Blog
07.10.2019
Tax Consequences of Gym Membership Reimbursement
- Blog
07.09.2019
Agencies Release 2020 Adjusted Limits
- Blog
07.08.2019
The Affordable Care Act’s Employer Mandate: Part 1
- Blog
07.01.2019
President Signs Executive Order to Improve Healthcare Price and Quality Transparency
- Event
06.20.2019
Webinar | Mid-Year Compliance Review
- Blog
06.18.2019
Mass Paid Family Medical Leave Update
- Blog
05.28.2019
Potential FMLA Violations
- Blog
05.24.2019
Annual PCORI Fee is due
- Blog
05.23.2019
The Status of Qualified Transportation Fringe Benefits
- Event
05.16.2019
Webinar | Wellness Programs
- Blog
05.03.2019
Massachusetts Online Exemption Application Now Available for Employers Seeking a Private Plan Option to State Paid Family Medical Leave Program.
- Blog
04.30.2019
Massachusetts Employer Alert
- Blog
04.26.2019
Massachusetts Releases New Guidance and Employee Notice Template For Massachusetts Paid Family and Medical Leave (PFML)
- Event
04.18.2019
Webinar | HIPAA Privacy & Security Training
- Blog
04.11.2019
Leave Laws Continue to Multiply
- Blog
04.10.2019
Massachusetts Creditable Coverage
- Blog
04.02.2019
Association Health Plans (AHPs) – Update
- Blog
03.25.2019
U.S. Department of Labor Releases Proposed Overtime Rule
- Event
03.21.2019
Webinar | Federal Continuation Coverage
- Blog
03.19.2019
Deadline Approaching: Paid Family and Medical Leave Act
- Blog
03.06.2019
Reminder: Annual CMS Medicare Part D Disclosure
- Blog
03.05.2019
Mistaken HSA Contributions
- Blog
03.04.2019
Frequently Misunderstood Health Savings Account Issues
- Event
02.21.2019
Webinar | FMLA & Employee Benefits
- Event
02.13.2019
Seminar | How to Survive a DOL Audit
- Blog
02.05.2019
Government Considering Modifications to HIPAA Privacy and Security Rules
- Blog
02.04.2019
Automatic Enrollment Given a Boost
- Event
01.29.2019
Employment Law Landscape 2019
- Event
01.17.2019
Webinar: ACA Reporting Requirements
- Blog
12.31.2018
Slowly Filling in the Blanks
- Blog
12.27.2018
Women’s Contraceptive Coverage under the Affordable Care Act (ACA) – Update
- Blog
12.20.2018
Making a List and Checking It Twice
- Blog
12.18.2018
Texas Federal Court Rules ACA Unconstitutional
- Event
12.14.2018
Webinar | Q4 2018 Health Care Reform Update
- Blog
12.03.2018
Employment Law Update: Minimum Wage Keeps Climbing
- Blog
12.03.2018
An End to Pharmacy Gag Clauses
- Blog
11.29.2018
2018 Form 1094/1095 Reporting
- Event
11.20.2018
Webinar | Back to Basics: Consumer-Based Plans 101
- Blog
11.16.2018
Better Late Than Never
- Blog
11.02.2018
Compliance Update: HRAs Poised For a Facelift
- Blog
10.22.2018
FMLA Update - Organ Donation
- Blog
10.18.2018
Do the HIPAA Privacy and Security Rules Apply to My Organization?
- Blog
09.14.2018
Navigating the Wellness Program Rules for 2019
- Event
01.23.2018
Employment Law Landscape 2018
- Blog
10.06.2017
Interim Rules on Contraceptive Exemptions