Standards
for Privacy of Individually Identifiable Health Information
C. Section 164.504--Uses and Disclosures: Organizational
Requirements
2. Group Health Plan Disclosures of Enrollment and Disenrollment
Information to Plan Sponsors
December 2000 Privacy Rule
The Department recognized the legitimate need of plan sponsors
and employers to access health information held by group health
plans in order to carry out essential functions related to the group
health plan. Therefore, the Privacy Rule at Sec. 164.504(f) permits
a group health plan, and health insurance issuers or HMOs with respect
to the group health plan, to disclose protected health information
to a plan sponsor provided that, among other requirements, the plan
documents are amended appropriately to reflect and restrict the
plan sponsor's uses and disclosures of such information. The Department
further determined that there were two situations in which protected
health information could be shared between the group health plan
and the plan sponsor without individual authorization or an amendment
to the plan documents. First, Sec. 164.504(f) permits the group
health plan to share summary health information (as defined in Sec.
164.504(a)) with the plan sponsor. Second, a group health plan is
allowed to share enrollment or disenrollment information with the
plan sponsor without amending the plan documents as required by
Sec. 164.504(f). As explained in the preamble to the December 2000
Privacy Rule, a plan sponsor is permitted to perform enrollment
functions on behalf of its employees without meeting the requirements
of Sec. 164.504(f), as such functions are considered outside of
the plan administration functions. However, the second exception
was not stated in the regulation text.
March 2002 NPRM
The ability of group health plans to disclose enrollment or disenrollment
information without amending the plan documents was addressed only
in the preamble to the Privacy Rule. The absence of a specific provision
in the regulation text caused many entities to conclude that plan
documents would need to be amended for enrollment and disenrollment
information to be exchanged between plans and plan sponsors. To
remedy this misunderstanding and make its policy clear, the Department
proposed to add an explicit exception at Sec. 164.504(f)(1)(iii)
to clarify that group health plans (or health insurance issuers
or HMOs with respect to group health plans, as appropriate) are
permitted to disclose enrollment or disenrollment information to
a plan sponsor without meeting the plan document amendment and other
related requirements.
Overview of Public Comments
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this
issue are discussed below in the section entitled, "Response
to Other Public Comments."
Commenters in general supported the proposed modification. Some
supported the proposal because it was limited to information about
whether an individual is participating or enrolled in a group health
plan and would not permit the disclosure of any other protected
health information. Others asserted that the modification is a reasonable
approach because enrollment and disenrollment information is needed
by plan sponsors for payroll and other employment reasons.
Final Modifications
The Department adopts the modification to Sec. 164.504(f)(1)(iii)
essentially as proposed. Thus, a group health plan, or a health
insurance issuer or HMO acting for a group health plan, may disclose
to a plan sponsor information on whether the individual is participating
in the group health plan, or is enrolled in or has disenrolled from
a health insurance issuer or HMO offered by the plan. This disclosure
can be made without amending the plan documents. In adopting the
modification as a final Rule, the Department deletes the phrase
"to the plan sponsor" that appeared at the end of the
proposed new provision, as mere surplusage.
As a result of the modification, summary health information and
enrollment and disenrollment information are treated consistently.
Under Sec. 164.504(f), as modified, group health plans can share
summary health information and enrollment or disenrollment information
with plan sponsors without having to amend the plan documents. Section
164.520(a) provides that a fully insured group health plan does
not need to comply with the Privacy Rule's notice requirements if
the only protected health information it creates or receives is
summary health information and/or information about individuals'
enrollment in, or disenrollment from, a health insurer or HMO offered
by the group health plan. Similarly, in Sec. 164.530(k), the Department
exempts fully insured group health plans from many of the administrative
requirements in that section if the only protected health information
held by the group health plan is summary health information and/or
information about individuals' enrollment in, or disenrollment from,
a health insurer or HMO offered by the group health plan. Such consistency
will simplify compliance with the Privacy Rule.
Response to Other Public Comments
Comment: One commenter stated that there needs to be protection
for health information given to group health plans on enrollment
forms. In particular, this commenter suggested that the Department
include a definition of "enrollment" or "disenrollment"
information that specifies that medical information, such as past
or present medical conditions and doctor or hospital visits, is
not enrollment information, but rather is individually identifiable
health information, and therefore, subject to the Privacy Rule's
protections.
Response: Individually identifiable health information received
or created by the group health plan for enrollment purposes is protected
health information under the Privacy Rule. The modification to Sec.
164.504(f) being adopted in this rulemaking does not affect this
policy. The Privacy Rule does not define the information that may
be transmitted for enrollment and disenrollment purposes. Rather,
the Department in the Transactions Rule has adopted a standard transaction
for enrollment and disenrollment in a health plan. That standard
(ASC X12N 834, Benefit Enrollment and Maintenance, Version 4010,
May 2000, Washington Publishing Company) specifies the required
and situationally required data elements to be transmitted as part
of such a transaction. While the standard enrollment and disenrollment
transaction does not include any substantial clinical information,
the information provided as part of the transaction may indicate
whether or not tobacco use, substance abuse, or short, long-term,
permanent, or total disability is relevant, when such information
is available. However, the Department clarifies that, in disclosing
or maintaining information about an individual's enrollment in,
or disenrollment from, a health insurer or HMO offered by the group
health plan, the group health plan may not include medical information
about the individual above and beyond that which is required or
situationally required by the standard transaction and still qualify
for the exceptions for enrollment and disenrollment information
allowed under the Rule.
Comment: Several commenters recommended that enrollment
and disenrollment information specifically be excluded from the
definition of "protected health information." They argued
that this change would be warranted because enrollment and disenrollment
information do not include health information. They further argued
that such a change would help alleviate confusion surrounding the
application of the Privacy Rule to employers.
Response: We disagree that enrollment and disenrollment
information should be excluded from the definition of "protected
health information." Enrollment and disenrollment information
fall under the statutory definition of "individually identifiable
health information," since it is received or created by a health
plan, identifies an individual, and relates to the past, present,
or future payment for the provision of health care to an individual.
As such, the Department believes there is no statutory basis to
exclude such information from the definition of "protected
health information." The Department believes that the exception
to the requirement for group health plans to amend plan documents
that has been added to the Privacy Rule for enrollment and disenrollment
information balances the legitimate need that plan sponsors have
for enrollment and disenrollment information against the individual's
right to have such information kept private and confidential.
Comment: Given that, under Sec. 164.504(f)(2), plan sponsors
agree not to use or further disclose protected health information
other than as permitted or required by plan documents or "required
by law," one commenter requested that the definition of "required
by law" set forth at Sec. 164.501 should be revised to reflect
that it applies not only to covered entities, but also to plan sponsors
who are required to report under OSHA or similar laws.
Response: The Department agrees and has made a technical
correction to the definition of "required by law"
in Sec. 164.501 to reflect that the definition applies
to a requirement under law that compels any entity,
not just a covered entity, to make a use or disclosure
of protected health information.
|
