Under the Privacy Regulation, Wellmark needs to take steps with our fully insured and self-funded groups health plans to protect the confidentiality of protected health information collected or exchanged in the course of business operations. We consider self-funded health plans include fully and partially self-funded health plans and medical reimbursement plans (flexible spending accounts) administered by Wellmark.
Privacy Rule/Protected Health Information
The Privacy Rule has consequences for health plans, sponsors of group health plans, health care practitioners and facilities. Covered entities are required to implement a number of administrative requirements to ensure privacy of "protected health information" or PHI.
The impact of the privacy regulations on each employer or health plan depends in part on the extent to which it uses PHI.
Summary Health Information
The Privacy Rule permits a plan sponsor to have "summary health information" to obtain premium bids for health insurance coverage for the group health plan, or to modify, change or terminate a group health plan.
"Summary health information" summarizes claims history, claims expense, or type of claims experienced by individuals for whom the plan sponsor has provided health benefits under a group health plan.
The Privacy Rule permits a health insurer to disclose plan enrollees' protected health information (PHI) for "plan administration functions." These are performed by the plan sponsor on behalf of the group health plan.
A fully-insured health plan is not subject to the administrative requirements of the Privacy Rule if it does not create or receive PHI except for summary health information and plan participation information (such as whether an individual is enrolled or disenrolled from a health insurance issuer or HMO offered by the plan).
"Plan administration functions" do not include functions that the plan sponsor may perform in connection with any other benefit or benefit plan of the sponsor. However, before a health insurer may disclose protected health information to the plan sponsor for plan administration functions, the plan sponsor must certify that it adheres to and complies with Privacy Rule requirements.
Impact of privacy rule on employer/group health plan sponsors:
- HIPAA-AS, and specifically the Privacy Rule, does not apply to all employers but it does apply to a group health plan sponsored by an employer. If the employer and the plan sponsor are the same entity - the employer is affected.
- A clear intent of the Privacy Rule is to ensure that employees protect individually identifiable health information.
- The obligations of a group health plan sponsor will depend upon the type of health information it considers necessary to manage the group health plan.
If an insured group health plan receives or creates PHI, or if a group health plan is self-funded, compliance is the responsibility of the plan sponsor. Wellmark Blue Cross and Blue Shield will assist health plans that are subject to HIPAA-AS requirements, to the extent possible, with fact sheets and forms. Wellmark also will provide communication and updates about HIPAA-AS in general.
If you have questions or would like additional information, please contact your Wellmark Blue Cross and Blue Shield account manager or broker.