Skip to main content

Important concepts to remember

Protected health information

Protected health information (PHI) is individually identifiable health information such as name, address, services provided, or premiums paid, which is transmitted electronically and maintained in any form or medium (for example) stored in paper or in an electronic database. PHI is a key element of the Privacy Rule

  • PHI may be used and disclosed without authorization for treatment, payment for treatment, and health care operations, as well as for certain law enforcement and public health functions. Otherwise, PHI cannot be used or disclosed except as provided in the rule or as explicitly authorized by the individual.
  • When requesting, using or disclosing PHI, reasonable efforts must be made to limit the PHI to the minimum necessary to accomplish the intended purpose.
  • Individuals have the right to see their PHI, to know how it is being used, and to request that their PHI be amended.

Covered entity

A covered entity is individuals or entities who are required to be compliant with the federal HIPAA-AS laws:

  • health plans
  • health care clearinghouses
  • health care practitioners
  • facilities that transmit any health information electronic form with a standard transmission. (Even if practitioners or facilities do not send health information electronically, they still are required to follow the privacy regulations as the rules pertain to protected health information in any form.)

Business associate

A business associate is a person or an entity who performs or assists in performing a function or activity that involves the use or disclosure of individual identifiable health information on behalf of Wellmark, or on behalf of a health plan in which Wellmark participates.
Examples are:

  • Acute Care or Long Term Care facility
  • Pharmacy benefit manager
  • Third party administrator
  • Agents or Brokers acting on behalf of a Health Plan

Access to personal health information (PHI)

The HIPAA-AS Privacy Rule affects the role an agent or broker may have with a client.
Access to protected health information (PHI) is extended by the insurer, group health plan, employee group or group member you serve.
To determine what role an agent or broker has, the individual should consider these questions:

  • Whom does the agent/broker represent?
  • What does the agent/broker do?
  • What does the agent/broker contract say?
  • Who pays the agent/broker?
  • What does state law or insurance regulation say?
  • What regulations pertain to agents and brokers regarding how they store and use protected health information in their own offices?

Agents and brokers should confer with their own legal counsel and their accounts to clarify roles and responsibilities.
It is essential that agents and brokers understand the role they are taking when working with each of their customers and how their responsibilities are affected by the HIPAA-AS Privacy Rule for PHI.

Agents and brokers may have access to PHI through contact with:

  • Insurer or group health plan: As an employee or the business associate of an insurer or group health plan or other covered entity, you may have access to PHI as is necessary to perform your designated functions.
  • Employers: As the representative of an employer, you may have access to limited PHI in connection with employer's plan administration.
  • Members: You may be designated by a member as his or her personal representative through a power of attorney or other legal instrument of authority. With such a document in place, you may have access to PHI as it pertains to related matters.

A member may provide formal written authorization stating that you may have access to some or all of his or her PHI. In that case, your access to the PHI is limited to the information specifically authorized in the document.

A member may grant informal permission for you to access his or her PHI in the member's presence. The insurer or health plan must obtain approval in advance to disclose the member's PHI.