HIPAA Policy 5.0: Office of Employee Benefits As a Plan Sponsor
The Office of Employee Benefit’s (OEB’s) status as a Fully Insured Group (FIG) Plan Sponsor for purposes of the HIPAA Privacy Rules does not subject System to the jurisdiction of the Secretary. However, HIPAA requires a Carrier that is a Covered Entity to provide coverage under a Fully-insured Group Health FIG Plan only to employers who agree to comply with the HIPAA FIG Plan Sponsor rules when functioning as the FIG Plan Sponsor. It is System’s policy that when OEB is functioning in its capacity as a FIG Plan Sponsor for a Fully-insured Group Health FIG Plan (“FIG Plan”) providing Group Health FIG Plan coverage to Members, OEB shall comply with the HIPAA Plan Sponsor rules.
5.1 Notice Provided by the FIG Plan
When acting as a FIG Plan Sponsor, OEB shall distribute a copy of the FIG Plan’s notice within 30 days to any individual who requests a copy, regardless of the individual’s relationship with the FIG Plan.
5.2 Identifying FIG Plan Participants and Enrollees
The FIG Plan may Disclose to OEB information on whether the individual is participating in the FIG Plan or is enrolled in or has disenrolled from the FIG Plan.
5.3 Obtaining Premium Bids
If OEB requires PHI in order to obtain premium bids from health FIG Plans for providing health insurance coverage, and if the FIG Plan’s notice of privacy practices permits the FIG Plan to Disclose PHI to OEB, OEB can obtain and Disclose Summary Health Information from the FIG Plan for such purpose. The FIG Plan may Disclose PHI that is not Summary Health Information to OEB only if all individuals who are the subjects of such PHI have provided Authorization for such Disclosure. If the FIG Plan’s notice of privacy practices does not state that the FIG Plan may Disclose PHI to OEB, the FIG Plan may Disclose Summary Health Information that is PHI to OEB for such purpose only pursuant to an Authorization.
5.4 Modifying, Amending, or Terminating the FIG Plan.
If OEB needs PHI in order to consider or execute a modification, amendment, or termination of the FIG Plan, and if the FIG Plan’s notice of privacy practices states ￼￼￼￼ that the FIG Plan may Disclose PHI to OEB, the FIG Plan may Disclose Summary Health Information to OEB for such purpose. The FIG Plan may Disclose PHI that is not Summary Health Information to OEB for such purpose only if all individuals who are the subjects of such PHI have provided Authorization for such Disclosure. If the FIG Plan’s notice of privacy practices does not state that the FIG Plan may Disclose PHI to OEB, the FIG Plan may Disclose Summary Health Information that is PHI to OEB for such purpose only pursuant to an Authorization.
5.5 Conducting Inquiries and Advocacy on Behalf of a Member to the FIG Plan
OEB recognizes that when OEB staff makes inquiries or advocates to the FIG Plan on behalf of a Member seeking claim coverage or other services from the FIG Plan, OEB is acting as the representative of the Member rather than the FIG Plan Sponsor. Therefore, the FIG Plan shall not Disclose PHI to an employee of OEB, the Office of Employee Services or an benefits office of a component institution as a Business Associate of OEB in connection with such representation unless the employee provides an Authorization or a written directive to the FIG Plan to release the PHI. A Form Authorization is included in the Appendix that will allow both an employee of the benefits office at the component institution where the Member is employed and OEB staff to obtain PHI on behalf of a Member in order to represent the Member in transactions with the FIG Plan that involve the Disclosure of PHI.
5.6 Conducting Non-FIG Plan Employment-related Actions or Decisions.
The FIG Plan shall not Disclose PHI to OEB in connection with OEB’s employment- related actions and decisions unless each Member who is a subject of the PHI provides Authorization for such Disclosure.
5.7 Underwriting Required by the FIG Plan
If the terms of the FIG Plan require individual underwriting for certain categories of Members that apply for enrollment in the FIG Plan, OEB shall obtain Authorizations for such underwriting activities as set forth in Section 4.5 of this Manual.
5.8. Administering Other Employee Benefits or Employee Benefit FIG Plans
OEB shall not require Disclosure of PHI from the FIG Plan in connection with any employee benefit or employee benefit FIG Plan other than the FIG Plan unless each individual who is a subject of the PHI provides an Authorization for such Disclosure or the Disclosure is for Payment or Health Care Operations.
5.9. Disclosures for Any Other Purpose.
OEB may require Disclosure of PHI by the FIG Plan for any purpose not set forth in this Policy but only for Disclosures that are permissible under the FIG Plan’s HIPAA compliance policies. Before requesting the Disclosure, OEB must:
- (i) Ensure that the FIG Plan’s notice of privacy practices states that the FIG Plan may Disclose PHI to OEB; and (ii) agree to (A) restrict EGI’s Use and Disclosure of PHI in accordance with the HIPAA Privacy Standards, (B) provide any required Certification to the FIG Plan, and (C) establish adequate protection for the PHI by (1) identifying those individuals within OEB entitled to receive FIG Plan PHI, (2) restricting access to FIG Plan PHI to the identified individuals, and (3) agreeing to resolve privacy violations by the identified individuals; or
- Obtain an Authorization from each individual who is a subject of the PHI to be Disclosed to OEB.
5.10 Documentation of FIG Plan Provisions and Company Certifications
OEB shall document (i) any agreement that is intended to permit Disclosure of PHI to OEB and (ii) any Certification given by OEB to receive PHI in connection with the FIG Plan. Such documentation shall be retained in accordance with Section 9.2 of this Manual.
Any Authorization required under this Policy must meet the requirements for authorizations set forth in Section 4.11 of this Manual.
45 C.F.R. § 1164.504(f)