QUESTION: We are a TPA that administers claims for many self-insured group health plans. We have a business associate contract with each plan. Sometimes, a plan instructs us to send claims information, which includes protected health information (PHI), to another business associate of the plan, such as a claims auditor or a medical reviewer. Can we do this if we do not have a contractual relationship with the other business associate?
ANSWER: PHI generally can be disclosed directly by one business associate to another business associate of the same covered entity without having to use the covered entity as a conduit or intermediary, so long as certain conditions are met.
Officials of HHS’s Office for Civil Rights (OCR) have addressed a hypothetical situation in which a group health plan is conducting an audit and instructs its pharmacy benefits manager (PBM) to disclose claims information containing PHI to a claims auditor. Both the PBM and the claims auditor have business associate contracts with the plan. The officials informally commented that the PBM can disclose PHI directly to the claims auditor, so long as the following conditions are met:
the plan directed the business associate to make the disclosure;
the business associate contract authorized the disclosure; and
the purpose of the disclosure was treatment, payment, or health care operations.
In the hypothetical situation, the claims audit fit within the definition of health care operations, so the disclosure was permitted.
Although the officials addressed a specific situation, the conclusion should apply more broadly. In fact, they cautioned that HIPAA cannot be used as the basis for impeding the flow of PHI for a plan’s health care operations, including audits of business associates and insurers. As an example of an improper use of HIPAA, they cited an insurer’s refusal to provide information necessary for a claims audit, noting that HIPAA allows disclosure of PHI for health care operations such as audits.
The officials also noted that the plan’s Notice of Privacy Practices must disclose information and examples about how PHI is disclosed for health care operations such as audits.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXVI.B (“Uses and Disclosures for Treatment, Payment, and Health Care Operations”) and XXVII.G (“Right to Receive Notice of Privacy Practices”). You may also be interested in our upcoming webinar “HIPAA Breaches: Preparation and Response” (live on 1/26/2022).
Contributing Editors: EBIA Staff.