System provides many different types of services including group health coverage to System employees, retired employees, spouses and eligible dependents (“Members”) through the Self-funded Group Health Plans which are subject to HIPAA, as well as Business Associate services to the Self-Funded Health Plans and to other Covered Entities. HIPAA requires only Covered Entities and Business Associates to comply with the HIPAA Privacy Standards. Not all of the functions performed by System are performed in its capacity as a Covered Entity or a Business Associate to a Covered Entity. The purpose of this policy is to describe the various functions performed by System and to identify functions must be performed in compliance with the HIPAA Privacy Standards.
Section 2.1 The policies and procedures in this Manual shall apply to all functions performed by the Office of Employee Benefits on behalf of the Self- funded Health Plans operated by OEB on behalf of The University of Texas System, which is a Covered Entity under HIPAA.
OEB performs functions as a Covered Entity under HIPAA when performs administrative acts on behalf of the Self-funded Health Plans that it offers to Members. Since The University of Texas System functions as a state agency, EGI’s Self-funded Group Health Plans are not subject to ERISA. The Self-funded Health plans currently offered by OEB are UT SELECT and UT Dental SELECT. UT SELECT is a PPO medical coverage plan with pharmacy benefits. Many administrative services for the medical portion of the plan are provided through contracts with a licensed third party administrator that also operates as general indemnity insurance carrier. Many administrative services for the pharmacy benefit portion of the plan are provided through a contract with a licensed pharmacy benefits administrator manager. UT Dental SELECT is a dental plan. Many administrative services are administered by a contract with a dental indemnity carrier. OEB also offers UT FLEX, a medical and dependent flexible spending account plan administered by a contract with a flexible spending plan administrator. For purposes of HIPAA, UT FLEX is considered by EGI to be a Self-funded Group Health Plan. OEB is required to comply with the HIPAA Privacy Standards only in its capacity as the administrator of its Self-funded Group Health plans. The policies and procedures set forth in this Manual are applicable to OEB and its staff when it is performing functions in this capacity. The Secretary has the ability to enforce the HIPAA Privacy Standards against OEB when it is performing functions in this capacity.
Section 2.2 The policies and procedures in this Manual that apply to Plan Sponsor shall apply to all functions performed by OEB in its capacity as a Plan Sponsor as defined by the HIPAA Privacy Standards.
OEB functions as a Plan Sponsor to Fully-insured Group Health Plans offered to benefits eligible System employees and retirees that are Covered Entities under HIPAA. Plan Sponsors have a more limited responsibility under HIPAA than a Covered Entity and are not subject to the jurisdiction of the Secretary. OEB has a Plan Sponsor relationship with the licensed HMOs and insurers that are providing or have provided fully-insured health coverage to Members through a contract with OEB. OEB is required to comply with the HIPAA Privacy Standards that apply to Plan Sponsors when acting in the capacity of a Plan Sponsor. Only the policies and procedures designated in this Manual as applicable to Plan Sponsors (see Policy 5) are applicable to OEB and its staff when it is performing functions in this capacity. The Secretary does not have the ability to enforce the HIPAA Privacy Standards against OEB when it is performing functions in this capacity.
Section 2.3 None of the policies and procedures in this Manual shall apply to any functions performed by OEB in its capacity as a plan sponsor or administrator to a plan that is not subject to the HIPAA Privacy Standards.
OEB functions in other capacities that are not subject to HIPAA. The benefits currently offered by OEB that are not subject to the HIPAA Privacy Standards are life insurance coverage, long-term disability coverage, short-term disability coverage, and personal accident insurance. While it is the practice of OEB at all times to respect the privacy of its members and to protect the confidentiality of all information that it receives from its Members to the extent permitted by law, the medical and health information received by OEB in the process of offering these non-HIPAA subject benefits to Members is not PHI as defined by HIPAA or the HIPAA Privacy Standards. None of the policies or procedures in this Manual are applicable to OEB and its staff when it is performing functions in a capacity that is not subject to HIPAA. The Secretary does not have the ability to enforce the HIPAA Privacy Standards against OEB when it is performing functions in this capacity.
Section 2.4 The Policies and procedures in this Manual shall apply to all functions performed by the other System offices included in the System Health Care Component to the extent that the Policies are applicable to a Business Associate and those Offices are providing services in the capacity of a Business Associate
The Offices of Employee Services (OES), Information & Technological Services (OTIS), Systemwide Compliance, Audit and General Counsel each provide some services on behalf of the Self-funded Group Health Plans offices that require those offices to access, use and disclose those Plan’s PHI. These offices, with the exception of OES and OTIS, also provide services to System institutions which are Covered Entities that require those offices to access, Use, and Disclose PHI from those institutions. The System institutions which are Covered Entities are its six health science institutions and the System institutions that are Hybrid Entities. (The University of Texas at Austin and The University of Texas at Dallas.) In addition, The University of Texas at Arlington has ceased providing services that rendered it a Hybrid Entity but continues to maintain some records that contain Protected Health Information that is subject to HIPAA.
The policies and procedures set forth in this Manual are applicable to those offices and their staff only when they are performing functions in their capacity as Business Associates that access PHI of the Plans or the System institutions which are Covered or Hybrid Entities. The Secretary has the ability to enforce the HIPAA Privacy Standards against these offices when it is performing functions in the capacity of a Business Associate as to any:
- Impermissible uses and disclosures including the failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of a Use, Disclosure or request for PHI;
- Failure to provide breach notification to a Covered Entity;
- Failure to provide access to a copy of electronic PHI to either the Covered Entity, the Individual or the I ndividual’s designee ;
- Failure to disclose PHI where required by the Secretary to investigate or determine the Business Associate’s compliance with the HIPAA Rules
- Failure to provide an accounting of disclosures;
- Failure to comply with the requirements of the Security Rule; and
- To the extent these offices are carrying out a Covered Entity’s obligations, the requirements of the Privacy Rule that apply to that Covered Entity.
REFERENCES/CITATIONS
45 C.F.R. §160.300
45 C.F.R §161.103
45 C.F.R §164.104
45 C.F.R §164.500
45 C.F.R §164.504(f)