Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Payment.

12/28/2000

We proposed the term payment to mean:

(1) The activities undertaken by or on behalf of a covered entity that is:

(i) A health plan, or by a business partner on behalf of a health plan, to obtain premiums or to determine or fulfill its responsibility for coverage under the health plan and for provision of benefits under the health plan; or

(ii) A health care provider or health plan, or a business partner on behalf of such provider or plan, to obtain reimbursement for the provision of health care.

(2) Activities that constitute payment include:

(i) Determinations of coverage, adjudication or subrogation of health benefit claims;

(ii) Risk adjusting amounts due based on enrollee health status and demographic characteristics;

(iii) Billing, claims management, and medical data processing;

(iv) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; and

(v) Utilization review activities, including precertification and preauthorization of services.

In the final rule, we maintain the general approach of defining of payment: payment activities are described generally in the first clause of the definition, and specific examples are given in the second clause. Payment activities relate to the covered entity that maintains the protected health information (i.e., one covered entity may not disclose protected health information for the payment activities of a second covered entity). A covered entity may use or disclose only the protected health information about the individual to whom care was rendered, for its payment activities (e.g., a provider may disclose protected health information only about the patient to whom care was rendered in order to obtain payment for that care, or only the protected health information about persons enrolled in the particular health plan that seeks to audit the provider's records). We expand the proposed list to reflect many changes requested by commenters.

We add eligibility determinations as an activity included in the definition of payment. We expand coverage determinations to include the coordination of benefits and the determination of a specific individual's cost sharing amounts. The rule deletes activities related to the improvement of methods of paying or coverage policies from this definition and instead includes them in the definition of health care operations. We add to the definition "collection activities." We replace "medical data processing" activities with health care data processing related to billing, claims management, and collection activities. We add activities for the purpose of obtaining payment under a contract for reinsurance (including stop-loss and excess of loss insurance). Utilization review activities now include concurrent and retrospective review of services.

In addition, we modify this definition to clarify that the activities described in section 1179 of the Act are included in the definition of "payment." We add new subclause (vi) allowing covered entities to disclose to consumer reporting agencies an individual's name, address, date of birth, social security number and payment history, account number, as well as the name and address of the individual's health care provider and/or health plan, as appropriate. Covered entities may make disclosure of this protected health information to consumer reporting agencies for purposes related to collection of premiums or reimbursement. This allows reporting not just of missed payments and overdue debt but also of subsequent positive payment experience (e.g., to expunge the debt). We consider such positive payment experience to be "related to" collection of premiums or reimbursement.

The remaining activities described in section 1179 are included in other language in this definition. For example, "authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting, a payment for, or related to, health plan premiums or health care" are covered by paragraph (2)(iii) of the definition, which allows use and disclosure of protected health information for "billing, claims management, collection activities and related health care data processing." "Claims management" also includes auditing payments, investigating and resolving payment disputes and responding to customer inquiries regarding payments. Disclosure of protected health information for compliance with civil or criminal subpoenas, or with other applicable laws, are covered under§ 164.512 of this regulation. (See discussion above regarding the interaction between 1179 and this regulation.)

We modify the proposed regulation text to clarify that payment includes activities undertaken to reimburse health care providers for treatment provided to individuals.

Covered entities may disclose protected health information for payment purposes to any other entity, regardless of whether it is a covered entity. For example, a health care provider may disclose protected health information to a financial institution in order to cash a check or to a health care clearinghouse to initiate electronic transactions. However, if a covered entity engages another entity, such as a billing service or a financial institution, to conduct payment activities on its behalf, the other entity may meet the definition of 'business associate' under this rule. For example, an entity is acting as a business associate when it is operating the accounts receivable system on behalf of a health care provider.

Similarly, payment includes disclosure of protected health information by a health care provider to an insurer that is not a 'health plan' as defined in this rule, to obtain payment. For example, protected health information may be disclosed to obtain reimbursement from a disability insurance carrier. We do not interpret the definition of "payment" to include activities that involve the disclosure of protected health information by a covered entity, including a covered health care provider, to a plan sponsor for the purpose of obtaining payment under a group health plan maintained by such plan sponsor, or for the purpose of obtaining payment from a health insurance issuer or HMO with respect to a group health plan maintained by such plan sponsor, unless the plan sponsor is performing plan administration pursuant to § 164.504(f).

The Transactions Rule adopts standards for electronic health care transactions, including two for processing payments. We adopted the ASC X12N 835 transaction standard for "Health Care Payment and Remittance Advice" transactions between health plans and health care providers, and the ASC X12N 820 standard for "Health Plan Premium Payments" transactions between entities that arrange for the provision of health care or provide health care coverage payments and health plans. Under these two transactions, information to effect funds transfer is transmitted in a part of the transaction separable from the part containing any individually identifiable health information.

We note that a covered entity may conduct the electronic funds transfer portion of the two payment standard transactions with a financial institution without restriction, because it contains no protected health information. The protected health information contained in the electronic remittance advice or the premium payment enrollee data portions of the transactions is not necessary either to conduct the funds transfer or to forward the transactions. Therefore, a covered entity may not disclose the protected health information to a financial institution for these purposes. A covered entity may transmit the portions of the transactions containing protected health information through a financial institution if the protected health information is encrypted so it can be read only by the intended recipient. In such cases no protected health information is disclosed and the financial institution is acting solely as a conduit for the individually identifiable data.