I’d like to start a dialogue on the HIPAA privacy regulations. Specifically, I would be interested in thoughts on the application of Section 164.504(f) to a single employer self-insured group health plan. Section 164.504(f) applies to disclosures by a group health plan to a plan sponsor (i.e., the employer). In this context, who is the “group health plan”?

If Section 164.504(f) is meant to apply to the transfer of PHI from a TPA to the employer, does that mean the TPA is the “group health plan” (and not merely a business associate)?

Or, is Section 164.504(f) meant to apply to the transfer of PHI from some designated group of employees of the employer (e.g., the benefits department) to other employees of the employer outside of the designated group? In that case, the designated group of employees would be the “group health plan.”

Please comment!

What are the requirements for including privacy provisions in a plan document or summary plan description? Is there a model notice that can be incorporated into the document?

The TPA is not the health plan--it is, as you suggest, a business associate of the health plan (because it's performing functions on behalf of the plan). The health plan is just a piece of paper (actually, probably several pieces of paper); in addition, some of the plan sponsor's employees perform functions for the plan. When the regs refer to disclosures by the plan to the sponsor, they're referring to disclosures of protected health information by the TPA, as the plan's business associate, or by the sponsor's employees who perform functions for the plan, to the sponsor's employees who do not perform functions for the plan.

I agree completely with BenefitsLawyer's description of the rule, however I would add that, if any of the sponsor's employees perform work for both the plan and other services for the sponsor (e.g., disability benefits or payroll) they must be trained to "firewall" the use of PHI from non-health plan related functions they may perform.