QUESTION: If a participant asks our self-insured health plan to send their claim file to a third party, such as their attorney, how do the HIPAA privacy rules apply to these requests?
ANSWER: HIPAA limits disclosures of protected health information (PHI) to third parties. Generally, disclosures for treatment, payment, or specified health care operations do not require an individual authorization. Disclosures not fitting into one of these categories—such as a disclosure to a participant’s attorney—require specific action by the individual. HIPAA regulations contemplate three methods for a health plan to disclose an individual’s PHI to a third party.
Individual Access Requests. From the first privacy regulations issued in 2000, HIPAA has given individuals the right to inspect or obtain a copy of their own PHI that is maintained by a covered entity (such as a group health plan) in a designated record set. A designated record set generally includes claim adjudication records maintained by or for a health plan. According to regulations implementing expanded access rights under the HITECH Act, if a covered entity maintains PHI electronically in a designated record set, individuals are entitled to receive an electronic copy of their PHI. A covered entity (or a business associate) must furnish PHI to the requesting individual within a specified timeframe (generally 30 days); use reasonable safeguards; and limit fees for responding to the request. An individual could invoke this access right, receive a paper or electronic copy of the requested PHI, and then forward the PHI to a third party.
Individual Authorizations. An authorization permits—but does not require—a covered entity to disclose an individual’s PHI to the person or entity identified in the authorization. Authorizations contain a number of required elements and should be reviewed carefully before disclosures are made in reliance on them. Unlike access requests, disclosures pursuant to authorizations need not be made by express deadlines and are not subject to fee limitations.
Third-Party Directives. The HITECH Act regulations added a third method for disclosure of PHI to third parties. If an individual directs a covered entity to send their PHI in a designated record set to a specified third party (a third-party directive), then the covered entity must comply so long as the third-party directive is in writing, is signed by the individual, and clearly identifies the third party and where to send the PHI. Like disclosures pursuant to individual access requests, disclosures must be made within 30 days; reasonable safeguards must be used; and fees are limited. Thus, third-party directives have distinct advantages over authorizations for individuals requesting disclosures to third parties, but they create additional administrative and financial burdens for covered entities and business associates.
The continued validity of third-party directives is in question following a federal court’s determination that HHS exceeded its statutory authority when it applied third-party directives to designated record sets (see our Checkpoint article). In guidance acknowledging the court’s decision, HHS indicated that covered entities and business associates need not respond to third-party directives for PHI in designated record sets. That position would suggest that third-party disclosures may be made only pursuant to individual access requests or authorizations. HHS has proposed regulations consistent with the court’s decision that would remove third-party directives except for the limited circumstance of certain electronic health records maintained by health care providers (see our Checkpoint article) They would also modify some requirements relating to individual access, such as shortening the timeframe for acting on access requests.
Responding to participants’ requests for health information may also implicate other laws, including ERISA disclosure rules. In light of this complexity, covered entities and business associates should adopt standard policies and procedures for analyzing and responding to disclosure requests. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXVII.B (“Right to Access PHI in Designated Record Set”). See also EBIA’s ERISA Compliance manual at Section XXXIV.L (“Some Implications of HIPAA Privacy and Security Rules for ERISA Claims Processing”), and EBIA’s Self-Insured Health Plans manual at Section XXXI.B (”HIPAA Privacy”).