Industries & Practices

Health Care Industry

    Back

    HIPAA Privacy Regulations: Uses and Disclosures: Organizational Requirements: Requirements for Group Health Plans - § 164.504(f)

    As Contained in the HHS HIPAA Privacy Rules

     

    HHS Regulations as Amended January 2013
    Uses and Disclosures: Organizational Requirements: Requirements for Group Health Plans - § 164.504(f)

     

    (f)(1) Standard: Requirements for group health plans. (i) Except as provided under paragraph (f)(1)(ii) or (iii) of this section or as otherwise authorized under §164.508, a group health plan, in order to disclose protected health information to the plan sponsor or to provide for or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO with respect to the group health plan, must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of this subpart.

    (ii) Except as prohibited by §164.502(a)(5)(i), the group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose summary health information to the plan sponsor, if the plan sponsor requests the summary health information for purposes of:

    (A) Obtaining premium bids from health plans for providing health insurance coverage under the group health plan; or

    (B) Modifying, amending, or terminating the group health plan.

    (iii) The group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose to the plan sponsor information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.

    (2) Implementation specifications: Requirements for plan documents. The plan documents of the group health plan must be amended to incorporate provisions to:

    (i) Establish the permitted and required uses and disclosures of such information by the plan sponsor, provided that such permitted and required uses and disclosures may not be inconsistent with this subpart.

    (ii) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to:

    (A) Not use or further disclose the information other than as permitted or required by the plan documents or as required by law;

    (B) Ensure that any agents to whom it provides protected health information received from the group health plan agree to the same restrictions and conditions that apply to the plan sponsor with respect to such information;

    (C) Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor;

    (D) Report to the group health plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware;

    (E) Make available protected health information in accordance with §164.524;

    (F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526;

    (G) Make available the information required to provide an accounting of disclosures in accordance with §164.528;

    (H) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from the group health plan available to the Secretary for purposes of determining compliance by the group health plan with this subpart;

    (I) If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and

    (J) Ensure that the adequate separation required in paragraph (f)(2)(iii) of this section is established.

    (iii) Provide for adequate separation between the group health plan and the plan sponsor. The plan documents must:

    (A) Describe those employees or classes of employees or other persons under the control of the plan sponsor to be given access to the protected health information to be disclosed, provided that any employee or person who receives protected health information relating to payment under, health care operations of, or other matters pertaining to the group health plan in the ordinary course of business must be included in such description;

    (B) Restrict the access to and use by such employees and other persons described in paragraph (f)(2)(iii)(A) of this section to the plan administration functions that the plan sponsor performs for the group health plan; and

    (C) Provide an effective mechanism for resolving any issues of noncompliance by persons described in paragraph (f)(2)(iii)(A) of this section with the plan document provisions required by this paragraph.

    (3) Implementation specifications: Uses and disclosures. A group health plan may:

    (i) Disclose protected health information to a plan sponsor to carry out plan administration functions that the plan sponsor performs only consistent with the provisions of paragraph (f)(2) of this section;

    (ii) Not permit a health insurance issuer or HMO with respect to the group health plan to disclose protected health information to the plan sponsor except as permitted by this paragraph;

    (iii) Not disclose and may not permit a health insurance issuer or HMO to disclose protected health information to a plan sponsor as otherwise permitted by this paragraph unless a statement required by §164.520(b)(1)(iii)(C) is included in the appropriate notice; and (iv) Not disclose protected health information to the plan sponsor for the purpose of employment-related actions or decisions or in connection with any other benefit or employee benefit plan of the plan sponsor.

     

    HHS Description of and Commentary From the January 2013 Amendments
    Uses and Disclosures: Organizational Requirements: Requirements for Group Health Plans

     

    Underwriting Purposes

    Proposed Rule

    Section 164.504(f)(1)(ii) permits a group health plan, or health insurance issuer or HMO with respect to the group health plan, to disclose summary health information to the plan sponsor if the plan sponsor requests the information for the purpose of obtaining premium bids from health plans for providing health insurance coverage under the group health plan, or for modifying, amending, or terminating the group health plan. As this provision permits activities that constitute “underwriting purposes,” as defined by GINA and the proposed rule, the Department proposed to modify § 164.504(f)(1)(ii) to clarify that § 164.504(f)(1)(ii) would not allow a disclosure of protected health information that is otherwise prohibited by the underwriting prohibition.

    Overview of Public Comments

    The Department received one comment in support of this modification.

    Final Rule

    The final rule adopts the modification to § 164.504(f)(1)(ii).

     

    HHS Description and Commentary From the August 2002 Revisions
    Uses and Disclosures: Organizational Requirements: Requirements for Group Health Plans

     

    December 2000 Privacy Rule. The Department recognized the legitimate need of plan sponsors and employers to access health information held by group health plans in order to carry out essential functions related to the group health plan. Therefore, the Privacy Rule at § 164.504(f) permits a group health plan, and health insurance issuers or HMOs with respect to the group health plan, to disclose protected health information to a plan sponsor provided that, among other requirements, the plan documents are amended appropriately to reflect and restrict the plan sponsor's uses and disclosures of such information. The Department further determined that there were two situations in which protected health information could be shared between the group health plan and the plan sponsor without individual authorization or an amendment to the plan documents. First, § 164.504(f) permits the group health plan to share summary health information (as defined in § 164.504(a)) with the plan sponsor. Second, a group health plan is allowed to share enrollment or disenrollment information with the plan sponsor without amending the plan documents as required by § 164.504(f). As explained in the preamble to the December 2000 Privacy Rule, a plan sponsor is permitted to perform enrollment functions on behalf of its employees without meeting the requirements of § 164.504(f), as such functions are considered outside of the plan administration functions. However, the second exception was not stated in the regulation text.

    March 2002 NPRM. The ability of group health plans to disclose enrollment or disenrollment information without amending the plan documents was addressed only in the preamble to the Privacy Rule. The absence of a specific provision in the regulation text caused many entities to conclude that plan documents would need to be amended for enrollment and disenrollment information to be exchanged between plans and plan sponsors. To remedy this misunderstanding and make its policy clear, the Department proposed to add an explicit exception at § 164.504(f)(1)(iii) to clarify that group health plans (or health insurance issuers or HMOs with respect to group health plans, as appropriate) are permitted to disclose enrollment or disenrollment information to a plan sponsor without meeting the plan document amendment and other related requirements.

    Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.

    Commenters in general supported the proposed modification. Some supported the proposal because it was limited to information about whether an individual is participating or enrolled in a group health plan and would not permit the disclosure of any other protected health information. Others asserted that the modification is a reasonable approach because enrollment and disenrollment information is needed by plan sponsors for payroll and other employment reasons.

    Final Modifications. The Department adopts the modification to § 164.504(f)(1)(iii) essentially as proposed. Thus, a group health plan, or a health insurance issuer or HMO acting for a group health plan, may disclose to a plan sponsor information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan. This disclosure can be made without amending the plan documents. In adopting the modification as a final Rule, the Department deletes the phrase "to the plan sponsor" that appeared at the end of the proposed new provision, as mere surplusage.

    As a result of the modification, summary health information and enrollment and disenrollment information are treated consistently. Under § 164.504(f), as modified, group health plans can share summary health information and enrollment or disenrollment information with plan sponsors without having to amend the plan documents. Section 164.520(a) provides that a fully insured group health plan does not need to comply with the Privacy Rule's notice requirements if the only protected health information it creates or receives is summary health information and/or information about individuals' enrollment in, or disenrollment from, a health insurer or HMO offered by the group health plan. Similarly, in § 164.530(k), the Department exempts fully insured group health plans from many of the administrative requirements in that section if the only protected health information held by the group health plan is summary health information and/or information about individuals' enrollment in, or disenrollment from, a health insurer or HMO offered by the group health plan. Such consistency will simplify compliance with the Privacy Rule.

    Response to Other Public Comments.

    Comment: One commenter stated that there needs to be protection for health information given to group health plans on enrollment forms. In particular, this commenter suggested that the Department include a definition of "enrollment" or "disenrollment" information that specifies that medical information, such as past or present medical conditions and doctor or hospital visits, is not enrollment information, but rather is individually identifiable health information, and therefore, subject to the Privacy Rule's protections.

    Response: Individually identifiable health information received or created by the group health plan for enrollment purposes is protected health information under the Privacy Rule. The modification to § 164.504(f) being adopted in this rulemaking does not affect this policy. The Privacy Rule does not define the information that may be transmitted for enrollment and disenrollment purposes. Rather, the Department in the Transactions Rule has adopted a standard transaction for enrollment and disenrollment in a health plan. That standard (ASC X12N 834, Benefit Enrollment and Maintenance, Version 4010, May 2000, Washington Publishing Company) specifies the required and situationally required data elements to be transmitted as part of such a transaction. While the standard enrollment and disenrollment transaction does not include any substantial clinical information, the information provided as part of the transaction may indicate whether or not tobacco use, substance abuse, or short, long-term, permanent, or total disability is relevant, when such information is available. However, the Department clarifies that, in disclosing or maintaining information about an individual's enrollment in, or disenrollment from, a health insurer or HMO offered by the group health plan, the group health plan may not include medical information about the individual above and beyond that which is required or situationally required by the standard transaction and still qualify for the exceptions for enrollment and disenrollment information allowed under the Rule.

    Comment: Several commenters recommended that enrollment and disenrollment information specifically be excluded from the definition of "protected health information." They argued that this change would be warranted because enrollment and disenrollment information do not include health information. They further argued that such a change would help alleviate confusion surrounding the application of the Privacy Rule to employers.

    Response: We disagree that enrollment and disenrollment information should be excluded from the definition of "protected health information." Enrollment and disenrollment information fall under the statutory definition of "individually identifiable health information," since it is received or created by a health plan, identifies an individual, and relates to the past, present, or future payment for the provision of health care to an individual. As such, the Department believes there is no statutory basis to exclude such information from the definition of "protected health information." The Department believes that the exception to the requirement for group health plans to amend plan documents that has been added to the Privacy Rule for enrollment and disenrollment information balances the legitimate need that plan sponsors have for enrollment and disenrollment information against the individual's right to have such information kept private and confidential.

    Comment: Given that, under § 164.504(f)(2), plan sponsors agree not to use or further disclose protected health information other than as permitted or required by plan documents or "required by law," one commenter requested that the definition of "required by law" set forth at § 164.501 should be revised to reflect that it applies not only to covered entities, but also to plan sponsors who are required to report under OSHA or similar laws.

    Response: The Department agrees and has made a technical correction to the definition of "required by law" in § 164.501 to reflect that the definition applies to a requirement under law that compels any entity, not just a covered entity, to make a use or disclosure of protected health information.

     

    HHS Description from Original Rulemaking
    Uses and Disclosures: Organizational Requirements: Requirements for Group Health Plans

     

    Covered entities under HIPAA include health care clearinghouses, health care providers and health plans. Specifically included in the definition of “health plan” are group health plans (as defined in section 2791(a) of the Public Health Service Act) with 50 or more participants or those of any size that are administered by an entity other than the employer who established and maintains the plan. These group health plans may be fully insured or self-insured. Neither employers nor other group health plan sponsors are defined as covered entities. However, employers and other plan sponsors - particularly those sponsors with self-insured group health plans - may perform certain functions that are integrally related to or similar to the functions of group health plans and, in carrying out these functions, often require access to individual health information held by the group health plan.

    Most group health plans are also regulated under the Employee Retirement Income Security Act of 1974 (ERISA). Under ERISA, a group health plan must be a separate legal entity from its plan sponsor. ERISA-covered group health plans usually do not have a corporate presence, in other words, they may not have their own employees and sometimes do not have their own assets (i.e., they may be fully insured or the benefits may be funded through the general assets of the plan sponsor, rather than through a trust). Often, the only tangible evidence of the existence of a group health plan is the contractual agreement that describes the rights and responsibilities of covered participants, including the benefits that are offered and the eligible recipients.

    ERISA requires the group health plan to identify a “named fiduciary,” a person responsible for ensuring that the plan is operated and administered properly and with ultimate legal responsibility for the plan. If the plan documents under which the group health plan was established and is maintained permit, the named fiduciary may delegate certain responsibilities to trustees and may hire advisors to assist it in carrying out its functions. While generally the named fiduciary is an individual, it may be another entity. The plan sponsor or employees of the plan sponsor are often the named fiduciaries. These structural and operational relationships present a problem in our ability to protect health information from being used inappropriately in employment-related decisions. On the one hand, the group health plan, and any health insurance issuer or HMO providing health insurance or health coverage to the group health plan, are covered entities under the regulation and may only disclose protected health information as authorized under the regulation or with individual consent. On the other hand, plan sponsors may need access to protected health information to carry out administration functions on behalf of the plan, but under circumstances in which securing individual consent is impractical. We note that we sometimes refer in the rule and preamble to health insurance issuers and HMOs that provide health insurance or health coverage to a group health plan as health insurance issuers or HMOs with respect to a group health plan.

    The proposed rule used the health care component approach for employers and other plan sponsors. Under this approach, only the component of an employer or other plan sponsor would be treated as a covered entity. The component of the plan sponsor would have been able to use protected health information for treatment, payment, and health care operations, but not for other purposes, such as discipline, hiring and firing, placement and promotions. We have modified the final rule in a number of ways.

    In the final rule, we recognize plan sponsors' legitimate need for health information in certain situations while, at the same time, protecting health information from being used for employment-related functions or for other functions related to other employee benefit plans or other benefits provided by the plan sponsor. We do not attempt to directly regulate employers or other plan sponsors, but pursuant to our authority to regulate health plans, we place restrictions on the flow of information from covered entities to non-covered entities.

    The final rule permits group health plans, and allows them to authorize health insurance issuers or HMOs with respect to the group health plan, to disclose protected health information to plan sponsors if the plan sponsors voluntarily agree to use and disclose the information only as permitted or required by the regulation. The information may be used only for plan administration functions performed on behalf of the group health plan which are specified in plan documents. The group health plan is not required to have a business associate contract with the plan sponsor to disclose the protected health information or allow the plan sponsor to create protected health information on its behalf, if the conditions of § 164.504(e) are met.

    In order for the group health plan to disclose protected health information to a plan sponsor, the plan documents under which the plan was established and is maintained must be amended to: (1) describe the permitted uses and disclosures of protected health information; (2) specify that disclosure is permitted only upon receipt of a certification from the plan sponsor that the plan documents have been amended and the plan sponsor has agreed to certain conditions regarding the use and disclosure of protected health information; and (3) provide adequate firewalls to: identify the employees or classes of employees who will have access to protected health information; restrict access solely to the employees identified and only for the functions performed on behalf of the group health plan; and provide a mechanism for resolving issues of noncompliance.

    Any employee of the plan sponsor who receives protected health information for payment, health care operations or other matters related to the group health plan must be identified in the plan documents either by name or function. We assume that since individuals employed by the plan sponsor may change frequently, the group health plan would likely describe such individuals in a general manner. Any disclosure to employees or classes of employees not identified in the plan documents is not a permissible disclosure. To the extent a group health plan does have its own employees separate from the plan sponsor's employees, as the workforce of a covered entity (i.e. the group health plan), they also are bound by the permitted uses and disclosures of this rule.

    The certification that must be given to the group health plan must state that the plan sponsor agrees to: (1) not use or further disclose protected health information other than as permitted or required by the plan documents or as required by law; (2) ensure that any subcontractors or agents to whom the plan sponsor provides protected health information agree to the same restrictions; (3) not use or disclose the protected health information for employment-related actions; (4) report to the group health plan any use or disclosure that is inconsistent with the plan documents or this regulation; (5) make the protected health information accessible to individuals; (6) allow individuals to amend their information; (7) provide an accounting of its disclosures; (8) make its practices available to the Secretary for determining compliance; (9) return and destroy all protected health information when no longer needed, if feasible; and (10) ensure that the firewalls have been established.

    We have included this certification requirement in part, as a way to reduce the burden on health insurance issuers and HMOs. Without a certification, health insurance issuers and HMOs would need to review the plan documents in order to ensure that the amendments have been made before they could disclose protected health information to plan sponsors. The certification, however, is a simple statement that the amendments have been made and that the plan sponsor has agreed to certain restrictions on the use and disclosure of protected health information. The receipt of the certification therefore, is sufficient basis for the health insurance issuer or HMO to disclose protected health information to the plan sponsor.

    Many activities included in the definitions of health care operations and payment are commonly referred to as plan administration functions in the ERISA group health plan context. For purposes of this rule, plan administration activities are limited to activities that would meet the definition of payment or health care operations, but do not include functions to modify, amend, or terminate the plan or solicit bids from prospective issuers. Plan administration functions include quality assurance, claims processing, auditing, monitoring, and management of carve-out plans - such as vision and dental. Under the final rule, “plan administration” does not include any employment-related functions or functions in connection with any other benefits or benefit plans, and group health plans may not disclose information for such purposes absent an authorization from the individual. For purposes of this rule, enrollment functions performed by the plan sponsor on behalf of its employees are not considered plan administration functions.

    Plan sponsors have access to protected health information only to the extent group health plans have access to protected health information and plan sponsors are permitted to use or disclose protected health information only as would be permitted by group health plans. That is, a group health plan may permit a plan sponsor to have access to or to use protected health information only for purposes allowed by the regulation.

    As explained above, where a group health plan purchases insurance or coverage from a health insurance issuer or HMO, the provision of insurance or coverage by the health insurance issuer or HMO to the group health plan does not make the health insurance issuer or HMO a business associate. In such case, the activities of the health insurance issuer or HMO are on their own behalf and not on the behalf of the group health plan. We note that where a group health plan contracts with a health insurance issuer or HMO to perform functions or activities or to provide services that are in addition to or not directly related to the provision of insurance, the health insurance issuer or HMO may be a business associate with respect to those additional functions, activities, or services. In addition, group health plans that provide health benefits only through an insurance contract and do not create, maintain, or receive protected health information (except for summary information described below or information that merely states whether an individual is enrolled in or has been disenrolled from the plan) do not have to meet the notice requirements of § 164.520 or the administrative requirements of § 164.530, except for the documentation requirement in § 164.530(j), because these requirements are satisfied by the issuer or HMO that is providing benefits under the group health plan. A group health plan, however, may not permit a health insurance issuer or HMO to disclose protected health information to a plan sponsor unless the notice required in 164.520 indicate such disclosure may occur.

    The final rule also permits a health plan that is providing insurance to a group health plan to provide summary information to the plan sponsor to permit the plan sponsor to solicit premium bids from other health plans or for the purpose of modifying, amending, or terminating the plan. The rule provides that summary information is information that summarizes claims history, claims expenses, or types of claims experienced by individuals for whom the plan sponsor has provided health benefits under a group health plan, provided that specified identifiers are not included. Summary information may be disclosed under this provision even if it does not meet the definition of de-identified information. As part of the notice requirements in § 164.520, health plans must inform individuals that they may disclose protected health information to plan sponsors. The provision to allow summaries of claims experience to be disclosed to plan sponsors that purchase insurance will allow them to shop for replacement coverage, and get meaningful bids from prospective issuers. It also permits a plan sponsor to get summary information as part of its consideration of whether or not to change the benefits that are offered or employees or whether or not to terminate a group health plan.

    We note that a plan sponsor may perform enrollment functions on behalf of its employees without meeting the conditions above and without using the standard transactions described in the Transactions Rule.

     

    HHS Response to Comments Received from Original Rulemaking
    Uses and Disclosures: Organizational Requirements: Requirements for Group Health Plans

     

    Comment: Several commenters interpreted the preamble in the proposed rule to mean that only self-insured group health plans were covered entities. Another commenter suggested there was an error in the definition of group health plans because it only included plans with more than 50 participants or plans administered by an entity other than the employer (emphasis added by commenter). This commenter believed the “or” should be an “and” because almost all plans under 50 are administered by another entity and therefore this definition does not exclude most small plans.

    Response: We did not intend to imply that only self-insured group health plans are covered health plans. We clarify that all group health plans, both self-insured and fully-funded, with 50 or more participants are covered entities, and that group health plans with fewer than 50 participants are covered health plans if they are administered by another entity. While we agree with the commenter that few group health plans with fewer than 50 participants are self-administered, the “or” is dictated by the statute. Therefore, the statute only exempts group health plans with fewer than 50 participants that are not administered by an entity other than the employer.

    Comment: Several commenters stated that the proposed rule mis-characterized the relationship between the employer and the group health plan. The commenters stated that under ERISA and the Internal Revenue Code group health plans are separate legal entities from their employer sponsors. The group health plan itself, however, generally does not have any employees. Most operations of the group health plan are contracted out to other entities or are carried out by employees of the employer who sponsors the plan. The commenters stressed that while group health plans are clearly covered entities, the Department does not have the statutory authority to cover employers or other entities that sponsor group health plans. In contrast, many commenters stated that without covering employers, meaningful privacy protection is unattainable.

    Response: We agree that group health plans are separate legal entities from their plan sponsors and that the group health plan itself may be operated by employees of the plan sponsor. We make significant modification to the proposed rule to better reflect this reality. We design the requirements in the final regulation to use the existing regulatory tools provided by ERISA, such as the plan documents required by that law and the constellation of plan administration functions defined by that law that established and maintain the group health plan.

    We recognize plan sponsors' legitimate need for health information in certain situations while, at the same time, protecting health information from being used for employment-related functions or for other functions related to other employee benefit plans or other benefits provided by the plan sponsor. We do not attempt to directly regulate plan sponsors, but pursuant to our authority to regulate health plans, we place restrictions on the flow of information from covered entities to non-covered entities. The final rule permits group health plans to disclose protected health information to plan sponsors, and allows them to authorize health insurance issuers or HMOs to disclose protected health information to plan sponsors, if the plan sponsors agree to use and disclose the information only as permitted or required by the regulation. The information may be used only for plan administration functions performed on behalf of the group health plan and specified in the plan documents. Hereafter, any reference to employer in a response to a comment uses the term “plan sponsor,” since employers can only receive protected health information in their role as plan sponsors, except as otherwise permitted under this rule, such as with an authorization.

    Specifically, in order for a plan sponsor to obtain without authorization protected health information from a group health plan, health insurance issuer, or HMO, the documents under which the group health plan was established and is maintained must be amended to: (1) describe the permitted uses and disclosures of protected health information by the plan sponsor (see above for further explanation); (2) specify that disclosure is permitted only upon receipt of a written certification that the plan documents have been amended; and (3) provide adequate firewalls. The firewalls must identify the employees or classes of employees or other persons under the plan sponsor's control who will have access to protected health information; restrict access to only the employees identified and only for the administrative functions performed on behalf of the group health plan; and provide a mechanism for resolving issues of noncompliance by the employees identified. Any employee of the plan sponsor who receives protected health information in connection with the group health plan must be included in the amendment to the plan documents. As required by ERISA, the named fiduciary is responsible for ensuring the accuracy of amendments to the plan documents.

    Group health plans, and health insurance issuers or HMOs with respect to the group health plan, that disclose protected health information to plan sponsors are bound by the minimum necessary standard as described in § 164.514.

    Group health plans, to the extent they provide health benefits only through an insurance contract with a health insurance issuer or HMO and do not create, receive, or maintain protected health information (except for summary information or enrollment and disenrollment information), are not required to comply with the requirements of §§ 164.520 or 164.530, except for the documentation requirements of § 164.530(j). In addition, because the group health plan does not have access to protected health information, the requirements of §§ 164.524, 164.526, and 164.528 are not applicable. Individuals enrolled in a group health plan that provides benefits only through an insurance contract with a health insurance issuer or HMO would have access to all rights provided by this regulation through the health insurance issuer or HMO, because they are covered entities in their own right.

    Comment: We received several comments from self-insured plans who stated that the proposed rule did not fully appreciate the dual nature of an employer as a plan sponsor and as a insurer. These commenters stated that the regulation should have an exception for employers who are also insurers.

    Response: We believe the approach we have taken in the final rule recognizes the special relationship between plan sponsors and group health plans, including group health plans that provide benefits through a self-insured arrangement. The final rule allows plan sponsors and employees of plan sponsors access to protected health information for purposes of plan administration. The group health plan is bound by the permitted uses and disclosures of the regulation, but may disclose protected health information to plan sponsors under certain circumstances. To the extent that group health plans do not provide health benefits through an insurance contract, they are required to establish a privacy officer and provide training to employees who have access to protected health information, as well as meet the other applicable requirements of the regulation.

    Comment: Some commenters supported our position not to require individual consent for employers to have access to protected health information for purposes of treatment, payment, and health care operations. For employer sponsored insurance to continue to exist as it does today, the commenters stressed, this policy is essential. Other commenters encouraged the Department to amend the regulation to require authorization for disclosure of information to employers. These commenters stressed that because the employer was not a covered entity, individual consent is the only way to prohibit potential abuses of information.

    Response: In the final regulation, we maintain the position in the proposed rule that a health plan, including a group health plan, need not obtain individual consent for use and disclosure of protected health information for treatment, payment and or health care operations purposes. However, we impose conditions (described above) for making such disclosures to the plan sponsor. Because employees of the plan sponsor often perform health care operations and payment (e.g. plan administration) functions, such as claims payment, quality review, and auditing, they may have legitimate need for such information. Requiring authorization from every participant in the plan could make such fundamental plan administration activities impossible. We therefore impose regulatory restrictions, rather than a consent requirement, to prevent abuses. For example, the plan sponsor must certify that any protected health information obtained by its employees through such plan administration activities will not be used for employment-related decisions.

    Comment: Several commenters stressed that the regulation must require the establishment of firewalls between group health plans and employers. These commenters stated that firewalls were necessary to prevent the employer from accessing information improperly and using it in making job placements, promotions, and firing decisions. In addition, one commenter stated that employees with access to protected health information must be empowered through this regulation to deny unauthorized access to protected health information to corporate managers and executives.

    Response: We agree with the commenters that firewalls are necessary to prevent unauthorized use and disclosure of protected health information. Among the conditions for group health plans to disclose information to plan sponsors, the plan sponsor must establish firewalls to prevent unauthorized uses and disclosures of information. The firewalls include: describing the employees or classes of employees with access to protected health information; restricting access to and use of the protected health information to the plan administration functions performed on behalf of the group health plan and described in plan documents; and providing an effective mechanism for resolving issues of noncompliance.

    Comment: Several commenters supported our proposal to cover the health care component of an employer in its capacity as an administrator of the group health plan. These commenters felt the component approach was necessary to prevent the disclosure of protected health information to other parts of the employer where it might be used or disclosed improperly. Other commenters believed the component approach was unworkable and that distinguishing who was in the covered entity would not be as easy as assumed in the proposed rule. One commenter stated it was unreasonable for an employer to go through its workforce division by division and employee by employee designating who is included in the component and who is not. In addition, some commenters argued that we did not have the statutory authority to regulate employers at all, including their health care components.

    One commenter requested more guidance with respect to identifying the health care component as proposed under the proposed rule. In particular, the commenter requested that the regulation clearly define how to identify such persons and what activities and functional areas may be included. The commenter alleged that identification of persons needing access to protected health information will be administratively burdensome. Another commenter requested clarification on distinguishing the component entity from non-component entities within an organization and how to administer such relationships. The commenter stated that individuals included in the covered entity could change on a daily basis and advocated for a simpler set of rules governing intra-organizational relationships as opposed to inter-organizational relationships.

    Response: While we have not adopted the component approach for plan sponsors in the final rule, plan sponsors who want protected health information must still identify who in the organization will have access to the information. Several of the changes we make to the NPRM will make this designation easier. First, we move from “component” to a more familiar functional approach. We limit the employees of the plan sponsor who may receive protected health information to those employees performing plan administration functions, as that term is understood with respect to ERISA compliance, and as limited by this rule's definitions of payment and health care operation. We also allow designation of a class of employees (e.g., all employees assigned to a particular department) or individual employees.

    Although some commenters have asked for guidance, we have intentionally left the process flexible to accommodate different organizational structures. Plan sponsors may identify who will have access to protected health information in whatever way best reflects their business needs as long as participants can reasonably identify who will have access. For example, persons may be identified by naming individuals, job titles (e.g. Director of Human Resources), functions (e.g. employees with oversight responsibility for the outside third party claims administrator), divisions of the company (e.g. Employee Benefits) or other entities related to the plan sponsor. We believe this flexibility will also ease any administrative burden that may result from the identification process. Identification in terms such as “individuals who from time to time may need access to protected health information” or in other broad or generic ways, however, would not be sufficient.

    Comment: In addition to the comments on the component approach itself, several commenters pointed out that many employees wear two hats in the organization, one for the group health plan and one for the employer. The commenters stressed that these employees should not be regulated when they are performing group health plan functions. This arrangement is necessary, particularly in small employers where the plan fiduciary may also be in charge of other human resources functions. The commenter recommended that employees be allowed access to information when necessary to perform health plan functions while prohibiting them from using the information for non-health plan functions.

    Response: We agree with the commenters that many employees perform multiple functions in an organization and we design these provisions specifically to accommodate this way of conducting business. Under the approach taken in the final regulation, employees who perform multiple functions (i.e. group health plan and employment-related functions) may receive protected health information from group health plans, but among other things, the plan documents must certify that these employees will not use the information for activities not otherwise permitted by this rule including for employment-related activities.

    Comment: Several commenters pointed out that the amount of access needed to protected health information varies greatly from employer to employer. Some employers may perform many plan administration functions themselves which are not possible without access to protected health information. Other employers may simply offer health insurance by paying a premium to a health insurance issuer rather than provide or administer health benefits themselves. Some commenters argued that fully insured plans should not be covered under the rule. Similarly, some commenters argued that the regulation was overly burdensome on small employers, most of whom fully insure their group health plans. Other commenters pointed out that health insurance issuers - even in fully insured arrangements - are often asked for identifiable health information, sometimes for legitimate purposes such as auditing or quality assurance, but sometimes not. One commenter, representing an insurer, gave several examples of employer requests, including claims reports for employees, individual and aggregate amounts paid for employees, identity of employees using certain drugs, and the identity, diagnosis and anticipated future costs for “high cost” employees. This same commenter requested guidance in what types of information can be released to employers to help them determine the organization's responsibilities and liabilities.

    Response: In the final regulation we recognize the diversity in plan sponsors' need for protected health information. Many plan sponsors need access to protected health information to perform plan administration functions, including eligibility and enrollment functions, quality assurance, claims processing, auditing, monitoring, trend analysis, and management of carve-out plans (such as vision and dental plans). In the final regulation we allow group health plans to disclose protected health information to plan sponsors if the plan sponsor voluntarily agrees to use the information only in accordance with the purposes stated in the plan documents and as permitted by the regulation. We clarify, however, that plan administration does not include any employment-related decisions, including fitness for duty determinations, or duties related to other employee benefits or plans. Plan documents may only permit health insurance issuers to disclose protected health information to a plan sponsor as is otherwise permitted under this rule and consistent with the minimum necessary standard.

    Some plan sponsors, including those with a fully insured group health plan, do not perform plan administration functions on behalf of group health plans, but still may require health information for other purposes, such as modifying, amending or terminating the plan or soliciting bids from prospective issuers or HMOs. In the ERISA context actions undertaken to modify, amend or terminate a group health plan may be known as “settlor” functions (see Lockheed Corp. v. Spink, 517 U.S. 882 (1996)). For example, a plan sponsor may require access to information to evaluate whether to adopt a three-tiered drug formulary. Additionally, a prospective health insurance issuer may need claims information from a plan sponsor in order to provide rating information. The final rule permits plan sponsors to receive summary health information with identifiers removed in order to carry out such functions. Summary health information is information that summarizes the claims history, expenses, or types of claims by individuals enrolled in the group health plan. In addition, the identifiers listed in § 164.514(b)(2)(i) must be removed prior to disclosing the information to a plan sponsor for purposes of modifying, amending, or terminating the plan. See § 164.504(a). This information does not constitute de-identified information because there may be a reasonable basis to believe the information is identifiable to the plan sponsor, especially if the number of participants in the group health plan is small. A group health plan, however, may not permit an issuer or HMO to disclose protected health information to a plan sponsor unless the requirement in § 164.520 states that this disclosure may occur.

    Comment: Several commenters stated that health insurance issuers cannot be held responsible for employers' use of protected health information. They stated that the issuer is the agent of the employer and it should not be required to monitor the employer's use and disclosure of information.

    Response: Under this regulation, health insurance issuers are covered entities and responsible for their own uses and disclosures of protected health information. A group health plan must require a health insurance issuer or HMO providing coverage to the group health plan to disclose information to the plan sponsor only as provided in the plan documents.

    Comment: Several commenters urged us to require de-identified information to be used to the greatest extent possible when information is being shared with employers.

    Response: De-identified information is not sufficient for many functions plan sponsors perform on behalf of their group health plans. We have created a process to allow plan sponsors and their employees access to protected health information when necessary to administer the plan. We note that all uses and disclosures of protected health information by the group health plan are bound by the minimum necessary standard.

    Comment: One commenter representing church plans argued that the regulation should treat such plans differently from other group health plans. The commenter was concerned about the level of access to information the Secretary would have in performing compliance reviews and suggested that a higher degree of sensitivity is need for information related to church plans than information related to other group health plans. This sensitivity is needed, the commenter alleged, to reduce unnecessary intrusion into church operations. The commenter also advocated that church plans found to be out of compliance should be able to self-correct within a stated time frame (270 days) and avoid paying penalty taxes as allowed in the Internal Revenue Code.

    Response: We do not believe there is sufficient reason to treat church plans differently than other covered entities. The intent of the compliance reviews is to determine whether or not the plan is abiding by the regulation, not to gather information on the general operations of the church. As required by § 160.310(c), the covered entity must provide access only to information that is pertinent to ascertaining compliance with part 160 or subpart E of 164.

    Comment: Several commenters stated that employers often advocate on behalf of their employees in benefit disputes and appeals, answer questions with regard to the health plan, and generally help them navigate their health benefits. These commenters questioned whether this type of assistance would be allowed under the regulation, whether individual consent was required, and whether this intervention would make them a covered entity.

    Response: The final rule does nothing to hinder or prohibit plan sponsors from advocating on behalf of group health plan participants or providing assistance in understanding their health plan. Under the privacy rule, however, the plan sponsor could not obtain any information from the group health plan or a covered provider unless authorization was given. We do not believe obtaining authorization when advocating or providing assistance will be impractical or burdensome since the individual is requesting assistance and therefore should be willing to provide authorization. Advocating on behalf of participants or providing other assistance does not make the plan sponsor a covered entity.