Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.504(f) - Group Health Plans


Comment: Several commenters interpreted the preamble in the proposed rule to mean that only self-insured group health plans were covered entities. Another commenter suggested there was an error in the definition of group health plans because it only included plans with more than 50 participants or plans administered by an entity other than the employer (emphasis added by commenter). This commenter believed the "or" should be an "and" because almost all plans under 50 are administered by another entity and therefore this definition does not exclude most small plans.

Response: We did not intend to imply that only self-insured group health plans are covered health plans. We clarify that all group health plans, both self-insured and fully-funded, with 50 or more participants are covered entities, and that group health plans with fewer than 50 participants are covered health plans if they are administered by another entity. While we agree with the commenter that few group health plans with fewer than 50 participants are self-administered, the "or" is dictated by the statute. Therefore, the statute only exempts group health plans with fewer than 50 participants that are not administered by an entity other than the employer.

Comment: Several commenters stated that the proposed rule mis-characterized the relationship between the employer and the group health plan. The commenters stated that under ERISA and the Internal Revenue Code group health plans are separate legal entities from their employer sponsors. The group health plan itself, however, generally does not have any employees. Most operations of the group health plan are contracted out to other entities or are carried out by employees of the employer who sponsors the plan. The commenters stressed that while group health plans are clearly covered entities, the Department does not have the statutory authority to cover employers or other entities that sponsor group health plans. In contrast, many commenters stated that without covering employers, meaningful privacy protection is unattainable.

Response: We agree that group health plans are separate legal entities from their plan sponsors and that the group health plan itself may be operated by employees of the plan sponsor. We make significant modification to the proposed rule to better reflect this reality. We design the requirements in the final regulation to use the existing regulatory tools provided by ERISA, such as the plan documents required by that law and the constellation of plan administration functions defined by that law that established and maintain the group health plan.

We recognize plan sponsors' legitimate need for health information in certain situations while, at the same time, protecting health information from being used for employment-related functions or for other functions related to other employee benefit plans or other benefits provided by the plan sponsor. We do not attempt to directly regulate plan sponsors, but pursuant to our authority to regulate health plans, we place restrictions on the flow of information from covered entities to non-covered entities. The final rule permits group health plans to disclose protected health information to plan sponsors, and allows them to authorize health insurance issuers or HMOs to disclose protected health information to plan sponsors, if the plan sponsors agree to use and disclose the information only as permitted or required by the regulation. The information may be used only for plan administration functions performed on behalf of the group health plan and specified in the plan documents. Hereafter, any reference to employer in a response to a comment uses the term "plan sponsor," since employers can only receive protected health information in their role as plan sponsors, except as otherwise permitted under this rule, such as with an authorization.

Specifically, in order for a plan sponsor to obtain without authorization protected health information from a group health plan, health insurance issuer, or HMO, the documents under which the group health plan was established and is maintained must be amended to: (1) describe the permitted uses and disclosures of protected health information by the plan sponsor (see above for further explanation); (2) specify that disclosure is permitted only upon receipt of a written certification that the plan documents have been amended; and (3) provide adequate firewalls. The firewalls must identify the employees or classes of employees or other persons under the plan sponsor's control who will have access to protected health information; restrict access to only the employees identified and only for the administrative functions performed on behalf of the group health plan; and provide a mechanism for resolving issues of noncompliance by the employees identified. Any employee of the plan sponsor who receives protected health information in connection with the group health plan must be included in the amendment to the plan documents. As required by ERISA, the named fiduciary is responsible for ensuring the accuracy of amendments to the plan documents.

Group health plans, and health insurance issuers or HMOs with respect to the group health plan, that disclose protected health information to plan sponsors are bound by the minimum necessary standard as described in § 164.514.

Group health plans, to the extent they provide health benefits only through an insurance contract with a health insurance issuer or HMO and do not create, receive, or maintain protected health information (except for summary information or enrollment and disenrollment information), are not required to comply with the requirements of §§ 164.520 or 164.530, except for the documentation requirements of § 164.530(j). In addition, because the group health plan does not have access to protected health information, the requirements of §§ 164.524, 164.526, and 164.528 are not applicable. Individuals enrolled in a group health plan that provides benefits only through an insurance contract with a health insurance issuer or HMO would have access to all rights provided by this regulation through the health insurance issuer or HMO, because they are covered entities in their own right.

Comment: We received several comments from self-insured plans who stated that the proposed rule did not fully appreciate the dual nature of an employer as a plan sponsor and as a insurer. These commenters stated that the regulation should have an exception for employers who are also insurers.

Response: We believe the approach we have taken in the final rule recognizes the special relationship between plan sponsors and group health plans, including group health plans that provide benefits through a self-insured arrangement. The final rule allows plan sponsors and employees of plan sponsors access to protected health information for purposes of plan administration. The group health plan is bound by the permitted uses and disclosures of the regulation, but may disclose protected health information to plan sponsors under certain circumstances. To the extent that group health plans do not provide health benefits through an insurance contract, they are required to establish a privacy officer and provide training to employees who have access to protected health information, as well as meet the other applicable requirements of the regulation.

Comment: Some commenters supported our position not to require individual consent for employers to have access to protected health information for purposes of treatment, payment, and health care operations. For employer sponsored insurance to continue to exist as it does today, the commenters stressed, this policy is essential. Other commenters encouraged the Department to amend the regulation to require authorization for disclosure of information to employers. These commenters stressed that because the employer was not a covered entity, individual consent is the only way to prohibit potential abuses of information.

Response: In the final regulation, we maintain the position in the proposed rule that a health plan, including a group health plan, need not obtain individual consent for use and disclosure of protected health information for treatment, payment and or health care operations purposes. However, we impose conditions (described above) for making such disclosures to the plan sponsor. Because employees of the plan sponsor often perform health care operations and payment (e.g. plan administration) functions, such as claims payment, quality review, and auditing, they may have legitimate need for such information. Requiring authorization from every participant in the plan could make such fundamental plan administration activities impossible. We therefore impose regulatory restrictions, rather than a consent requirement, to prevent abuses. For example, the plan sponsor must certify that any protected health information obtained by its employees through such plan administration activities will not be used for employment-related decisions.

Comment: Several commenters stressed that the regulation must require the establishment of firewalls between group health plans and employers. These commenters stated that firewalls were necessary to prevent the employer from accessing information improperly and using it in making job placements, promotions, and firing decisions. In addition, one commenter stated that employees with access to protected health information must be empowered through this regulation to deny unauthorized access to protected health information to corporate managers and executives.

Response: We agree with the commenters that firewalls are necessary to prevent unauthorized use and disclosure of protected health information. Among the conditions for group health plans to disclose information to plan sponsors, the plan sponsor must establish firewalls to prevent unauthorized uses and disclosures of information. The firewalls include: describing the employees or classes of employees with access to protected health information; restricting access to and use of the protected health information to the plan administration functions performed on behalf of the group health plan and described in plan documents; and providing an effective mechanism for resolving issues of noncompliance.

Comment: Several commenters supported our proposal to cover the health care component of an employer in its capacity as an administrator of the group health plan. These commenters felt the component approach was necessary to prevent the disclosure of protected health information to other parts of the employer where it might be used or disclosed improperly. Other commenters believed the component approach was unworkable and that distinguishing who was in the covered entity would not be as easy as assumed in the proposed rule. One commenter stated it was unreasonable for an employer to go through its workforce division by division and employee by employee designating who is included in the component and who is not. In addition, some commenters argued that we did not have the statutory authority to regulate employers at all, including their health care components.

One commenter requested more guidance with respect to identifying the health care component as proposed under the proposed rule. In particular, the commenter requested that the regulation clearly define how to identify such persons and what activities and functional areas may be included. The commenter alleged that identification of persons needing access to protected health information will be administratively burdensome. Another commenter requested clarification on distinguishing the component entity from non-component entities within an organization and how to administer such relationships. The commenter stated that individuals included in the covered entity could change on a daily basis and advocated for a simpler set of rules governing intra-organizational relationships as opposed to inter-organizational relationships.

Response: While we have not adopted the component approach for plan sponsors in the final rule, plan sponsors who want protected health information must still identify who in the organization will have access to the information. Several of the changes we make to the NPRM will make this designation easier. First, we move from "component" to a more familiar functional approach. We limit the employees of the plan sponsor who may receive protected health information to those employees performing plan administration functions, as that term is understood with respect to ERISA compliance, and as limited by this rule's definitions of payment and health care operation. We also allow designation of a class of employees (e.g., all employees assigned to a particular department) or individual employees.

Although some commenters have asked for guidance, we have intentionally left the process flexible to accommodate different organizational structures. Plan sponsors may identify who will have access to protected health information in whatever way best reflects their business needs as long as participants can reasonably identify who will have access. For example, persons may be identified by naming individuals, job titles (e.g. Director of Human Resources), functions (e.g. employees with oversight responsibility for the outside third party claims administrator), divisions of the company (e.g. Employee Benefits) or other entities related to the plan sponsor. We believe this flexibility will also ease any administrative burden that may result from the identification process. Identification in terms such as "individuals who from time to time may need access to protected health information" or in other broad or generic ways, however, would not be sufficient.

Comment: In addition to the comments on the component approach itself, several commenters pointed out that many employees wear two hats in the organization, one for the group health plan and one for the employer. The commenters stressed that these employees should not be regulated when they are performing group health plan functions. This arrangement is necessary, particularly in small employers where the plan fiduciary may also be in charge of other human resources functions. The commenter recommended that employees be allowed access to information when necessary to perform health plan functions while prohibiting them from using the information for non-health plan functions.

Response: We agree with the commenters that many employees perform multiple functions in an organization and we design these provisions specifically to accommodate this way of conducting business. Under the approach taken in the final regulation, employees who perform multiple functions (i.e. group health plan and employment-related functions) may receive protected health information from group health plans, but among other things, the plan documents must certify that these employees will not use the information for activities not otherwise permitted by this rule including for employment-related activities.

Comment: Several commenters pointed out that the amount of access needed to protected health information varies greatly from employer to employer. Some employers may perform many plan administration functions themselves which are not possible without access to protected health information. Other employers may simply offer health insurance by paying a premium to a health insurance issuer rather than provide or administer health benefits themselves. Some commenters argued that fully insured plans should not be covered under the rule. Similarly, some commenters argued that the regulation was overly burdensome on small employers, most of whom fully insure their group health plans. Other commenters pointed out that health insurance issuers - even in fully insured arrangements - are often asked for identifiable health information, sometimes for legitimate purposes such as auditing or quality assurance, but sometimes not. One commenter, representing an insurer, gave several examples of employer requests, including claims reports for employees, individual and aggregate amounts paid for employees, identity of employees using certain drugs, and the identity, diagnosis and anticipated future costs for "high cost" employees. This same commenter requested guidance in what types of information can be released to employers to help them determine the organization's responsibilities and liabilities.

Response: In the final regulation we recognize the diversity in plan sponsors' need for protected health information. Many plan sponsors need access to protected health information to perform plan administration functions, including eligibility and enrollment functions, quality assurance, claims processing, auditing, monitoring, trend analysis, and management of carve-out plans (such as vision and dental plans). In the final regulation we allow group health plans to disclose protected health information to plan sponsors if the plan sponsor voluntarily agrees to use the information only in accordance with the purposes stated in the plan documents and as permitted by the regulation. We clarify, however, that plan administration does not include any employment-related decisions, including fitness for duty determinations, or duties related to other employee benefits or plans. Plan documents may only permit health insurance issuers to disclose protected health information to a plan sponsor as is otherwise permitted under this rule and consistent with the minimum necessary standard.

Some plan sponsors, including those with a fully insured group health plan, do not perform plan administration functions on behalf of group health plans, but still may require health information for other purposes, such as modifying, amending or terminating the plan or soliciting bids from prospective issuers or HMOs. In the ERISA context actions undertaken to modify, amend or terminate a group health plan may be known as "settlor" functions (see Lockheed Corp. v. Spink, 517 U.S. 882 (1996)). For example, a plan sponsor may require access to information to evaluate whether to adopt a three-tiered drug formulary. Additionally, a prospective health insurance issuer may need claims information from a plan sponsor in order to provide rating information. The final rule permits plan sponsors to receive summary health information with identifiers removed in order to carry out such functions. Summary health information is information that summarizes the claims history, expenses, or types of claims by individuals enrolled in the group health plan. In addition, the identifiers listed in § 164.514(b)(2)(i) must be removed prior to disclosing the information to a plan sponsor for purposes of modifying, amending, or terminating the plan. See § 164.504(a). This information does not constitute de-identified information because there may be a reasonable basis to believe the information is identifiable to the plan sponsor, especially if the number of participants in the group health plan is small. A group health plan, however, may not permit an issuer or HMO to disclose protected health information to a plan sponsor unless the requirement in § 164.520 states that this disclosure may occur.

Comment: Several commenters stated that health insurance issuers cannot be held responsible for employers' use of protected health information. They stated that the issuer is the agent of the employer and it should not be required to monitor the employer's use and disclosure of information.

Response: Under this regulation, health insurance issuers are covered entities and responsible for their own uses and disclosures of protected health information. A group health plan must require a health insurance issuer or HMO providing coverage to the group health plan to disclose information to the plan sponsor only as provided in the plan documents.

Comment: Several commenters urged us to require de-identified information to be used to the greatest extent possible when information is being shared with employers.

Response: De-identified information is not sufficient for many functions plan sponsors perform on behalf of their group health plans. We have created a process to allow plan sponsors and their employees access to protected health information when necessary to administer the plan. We note that all uses and disclosures of protected health information by the group health plan are bound by the minimum necessary standard.

Comment: One commenter representing church plans argued that the regulation should treat such plans differently from other group health plans. The commenter was concerned about the level of access to information the Secretary would have in performing compliance reviews and suggested that a higher degree of sensitivity is need for information related to church plans than information related to other group health plans. This sensitivity is needed, the commenter alleged, to reduce unnecessary intrusion into church operations. The commenter also advocated that church plans found to be out of compliance should be able to self-correct within a stated time frame (270 days) and avoid paying penalty taxes as allowed in the Internal Revenue Code.

Response: We do not believe there is sufficient reason to treat church plans differently than other covered entities. The intent of the compliance reviews is to determine whether or not the plan is abiding by the regulation, not to gather information on the general operations of the church. As required by § 160.310(c), the covered entity must provide access only to information that is pertinent to ascertaining compliance with part 160 or subpart E of 164.

Comment: Several commenters stated that employers often advocate on behalf of their employees in benefit disputes and appeals, answer questions with regard to the health plan, and generally help them navigate their health benefits. These commenters questioned whether this type of assistance would be allowed under the regulation, whether individual consent was required, and whether this intervention would make them a covered entity.

Response: The final rule does nothing to hinder or prohibit plan sponsors from advocating on behalf of group health plan participants or providing assistance in understanding their health plan. Under the privacy rule, however, the plan sponsor could not obtain any information from the group health plan or a covered provider unless authorization was given. We do not believe obtaining authorization when advocating or providing assistance will be impractical or burdensome since the individual is requesting assistance and therefore should be willing to provide authorization. Advocating on behalf of participants or providing other assistance does not make the plan sponsor a covered entity.