I have a COBRA service provider that denies it is a "business associate" as defined in HIPAA. I think I disagree. Does anyone have any thoughts?

Thanks in advance for any help!

I agree with you. The COBRA service provider is performing services on behalf of your health plan and receiving PHI. It seems pretty clear to me.

I use the "three legged stool" method for my analysis for BAs that AHIMA (American Health Information Management Association) recommends:

1) Are you sharing PHI?
2) Are they outside your workforce?
3) Are they doing something on your behalf?

All three answers must be yes or they do not qualify. If your service provider still disagrees, then ask them to tell you why under the definition under 160.103. I also ask for them to document their decision so I may send it to our attorney and to the OCR for clarification. That usually brings them around to my way of thinking.

Let me know if you need any further help, will be glad to help.

Jbentz:

What is the PHI that the COBRA provider would receive in the standard situation?

It may be that a COBRA service provider needs only enrollment/disenrollment info and premium payment info to perform its services. In the hands of the plan sponsor/employer, neither enrollment/disenrollment info nor premium payment info is PHI. So, if the COBRA service provider receives only enrollment/disenrollment info and premium payment info, and receives it from the plan sponsor/employer, there is no sharing of PHI by the plan and no business associate relationship between the COBRA service provider and the plan.

This is an area that OCR has been asked to address, but has not (at least as of this a.m.).

I would assume the plan is sharing PHI or it would not seek a BAA. The service provider would possibly be receiving substantiation of applications for disability extensions.

I wouldn't necessary make that assumption. The plan may just be acting reflexively.

BenefitsLawyer is correct. Many COBRA service providers are taking the position that they act on behalf of the employer and not the plan. It is a defensible position, in my opinion.

I think that BenefitsLawyer is right in about 99% of the cases.

But if the fact scenario that kowen suggested actually materializes, then I think you may have a HIPAA question. That is because the COBRA service provider would presumably get a copy of the determination by the Social Security Administration that the person is disabled. It seems to me that is the exact type of information that HIPAA was trying to privacy of.

However, I will freely admit that I am a relative novice in the nuances of the Privacy Rule promulgated under HIPAA, so I solicit the views of more knowledgeable persons.

Kirk, you (and kowen) raise an interesting point. I do not think it changes the result, however.

The Social Security determination, until it is received by a covered entity (or the business associate of a covered entity) is not PHI. If you take the position that the COBRA service provider is acting on behalf of the employer and not the plan, then the receipt of the determination will not impact that determination...unless the determination is received directly from the plan.

I agree that this seems counter-intuitive. One would think that the determination would be one of the pieces of information that would be most protected. Due to the manner in which HIPAA was crafted, however, only information used or disclosed by a covered entity is protected. Once the information is disclosed outside a covered entity, it is outside HIPAA's protection.

Good point, but I think the COBRA provider would be acting on behalf of the plan administrator, who is responsible for most of the COBRA burdens. If the provider was only acting behalf of the employer, they would be notifying the plan administrator of qualifying events and not much else. If the employer and plan administrator were the same entity, as is normally the case in single employer plans, it would make no sense to hire a provider to carry out COBRA responsibilites of the employer only. There are some gray areas and the "plan" is often only a legal document. I don't think HIPAA was drafted with intention of enforcing rules against documents and I don't think HHS would buy the "acting on behalf of the employer only."

Intellectually, I agree with your reasoning, kowen, however, looking at it in that manner would render the statement that enrollment and disenrollment information held by the employer and not the plan is not PHI meaningless.

I apologize for the ungainliness of that last sentence.

Steve72:

I agree that you are raising a very good point.

Further, I want to caveat my remarks with the disclaimer that I am only peripherally involved in HIPAA. But the HIPAA attorneys that I've worked with have indicated that the employer doesn't have to worry about such health information as long as that informtion is in the individual's employement records maintained by that employer,

Assuming that is the correct test, then I am skeptical that you argument would prevail. For one thing, by definition those people aren't working any more. Second, I think that is stretching the concept of working on behalf of the employer too far.

But I will freely concede that you have a good faith argument.

"But I will freely concede that you have a good faith argument. "

Works for me. I also freely concede that this argument is far from doubt. When there is a question, I always recomend seeking the BAA. However, some service providers are adamant that they are acting on behalf of the employer. If so, I believe the above is the stance to take.

As I may have said before, I believe that HHS's understanding of the ERISA universe is.....less than sophisticated. Many of these issues may need further guidance, which may not be forthcoming.

Steve72:

I think your comment applies to all federal agencies other than the IRS, DOL, and the PBGC.

But that isn't too surprising, if you ever spent any time working in a federal bureaucracy. They have so many workers that, even within the area that they are responsible for, everybody gets hyper-specialized. Thus, as a general rule, nobody there generally has a good overall picture of the entire area that is subject to the jurisdiction of that agency, let alone other areas of the law.

As a former DOL guy, I think you are right on the money, Kirk.

Steve72:

Since you came out, so will I. I'm a former IRS guy.

The more I think about it, the less comfortable I feel that the argument that the COBRA provider is acting on behalf of the employer should work. If it did, to a large extent that eviscerates the concept of "business associate," because if they weren't acting on behalf of the employer, then why would the business hire them in the first place?

It seems to me that the underlying theory is that if the covered entity passes on health information to another entity, a business associate agreement is needed to protect the privacy of that information, to the same extent as it is protected in the hands of the covered entity.

The extension of the argument that the COBRA service provider isn't a business associate would mean that it has no obigation to protect the privacy of that information under HIPAA. That doesn't seem to be the right result to me.

Again, I do not disagree with your analysis from a policy perspective. However, the HIPAA rules were drafted for providers, not employer sponsored plans. In many ways, HHS has attempted to alter the rules applicability to ERISA plans to ensure that business operations can continue.

Your statement regarding the underlying theory is correct, and is, in fact, why I think this argument flies. Health information (e.g., enrollment information) is (arguably) not being transferred from a covered entity (the plan), but from the employer.

The employer is under no HIPAA obligation to protect enrollment information, neither is its contractor.

Thanks for clarifying that point. Now I understand that position much better.

Steve72

Who really does the enrollment, the employer, the health plan or the insurance provider (for insured plans)?

GBurns:

Aye, there's the rub. It depends on how narrowly the "enrollment/disenrollment" exception is read. I can see both sides.

As a practical note, HHS has said that it is aware of a lack of clarity surrounding certain issues, and will not take a hard-line enforcement approach. They say that they've engaged in a few outreach actions, but have taken an educational, rather than a punitive approach.

An informative but brief discussion of the topic of this thread is located in HIPAA Security and Privacy Issues for Employers found in Benefits Buzz.