HIPAA Clauses for Employer PHI Access
(Group Health Plan)

Summary

These clauses can be used to satisfy the requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that prior to disclosing protected health information (PHI) to the plan sponsor, the group health plan document restricts uses and disclosures of PHI consistent with HIPAA'sPrivacy and Security Rules. These clauses contain practical guidance and drafting notes. HIPAA imposes strict limitations on the use and disclosure of PHI and for maintaining the security of electronically transmitted or stored PHI (ePHI) under HIPAA's Privacy Rule and the Security Rule, respectively. Recognizing that employers involved in plan administration need access to PHI, the rules specifically allow for disclosures to plan sponsors for this purpose. Nevertheless, such disclosure and use is only permissible if the plan sponsor: • Adopts or amends the health plan to include provisions requiring the sponsor to abide by certain practices and procedures (as set forth in this form) –and– • Certifies in writing that it agrees to abide by certain of these requirements (see HIPAA Certification for Employer Access to Health Plan PHI). See 45 C.F.R. § 164.504(f)(2) (PHI provisions) and § 164.314(b)(2) (ePHI provisions). Exceptions to these requirements can apply where the PHI used or disclosed contains little or no sensitive and individually identifiable information. The PHI and ePHI plan language requirements are distinct. Strictly speaking the ePHI provisions aren't necessary if no PHI handled by the sponsor will be in electronic form, but that is an increasingly unusual circumstance. In any case, it is a best practice to always include all of the clauses in any employer health plan even if the sponsor does not currently handle any PHI since it might do so in the future. These clauses are structured as a plan appendix, which may be duly incorporated into each of the employer's HIPAA-covered plans. To satisfy the Privacy Rule requirement, the group health plan must be amended to provide that it will disclose PHI to the plan sponsor only after receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees that it will: 1. Not use or further disclose the information other than as permitted or required by the plan documents or as required by law 2. Ensure that any agents to whom it provides protected health information received from the group health plan agree to the same restrictions and conditions that apply to the plan sponsor with respect to such information 3. Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor 4. Report to the group health plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware 5. Make available protected health information in accordance with 45 C.F.R. § 164.524 6. Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with 45 C.F.R. § 164.526 7. Make available the information required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528 8. Make its internal practices, books, and records relating to the use and disclosure of protected health information received from the group health plan available to the Secretary for purposes of determining compliance by the group health plan with these requirements 9. If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible –and– 10. Ensure that the adequate separation as required in §164.504(f)(2)(iii) is established. See 45 C.F.R. §164.504(f)(2)(ii). For a sample plan sponsor certification see HIPAA Certification for Employer Access to Health Plan PHI. In addition, HIPAA's Security Rule requires the group health plan document to be amended to provide that the plan sponsor will reasonably and appropriately safeguard electronic PHI (ePHI) created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. See 45 C.F.R. § 164.314(b)(1). Those implementation specifications require the group health plan document be amended to require the plan sponsor to: 1. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan 2. Ensure that the adequate separation required by § 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures 3. Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information –and– 4. Report to the group health plan any security incident of which it becomes aware. See 45 C.F.R. § 164.314(b)(2). For a full listing of key content covering HIPAA considerations, see HIPAA Resource Kit. For additional background, see the section "Disclosures for Plan Administrative Functions" under How Does the Privacy Rule Affect Information Sharing between an Employer and Its Group Health Plan? and the "Organizational Requirements" section under What Does the HIPAA Security Rule Require? in the practice note HIPAA Privacy, Security, Breach Notification, and Other Administrative Simplification Rules.