To review, the HIPAA privacy rule requires covered entities, which include group health plans and insurers, to enter a written agreement with a plan service provider before sharing protected health information (PHI) with them. PHI is any individually identifiable health information maintained or transmitted in any form or media, whether electronic, paperĀ or oral. The written business associate agreement (BAA) is designed to ensure the plan service provider (i.e., business associate) will appropriately safeguard PHI and only use or disclose PHI for permissible purposes.
Importantly, the HIPAA privacy and security requirements, including the BAA, apply only to health plans and not to all welfare benefit plans. A health plan is an individual or group plan that provides (or pays the cost of) medical care.
Major medical plans, dental and vision plans, health FSAs and HRAs are health plans that must comply with the HIPAA privacy and security rules. There is no exception for governmental, church and retiree health plans.
By contrast, plans providing only certain incidental coverage for nonmedical benefits, such as accident-only, workers' compensation, disability income, or life insurance coverage, are exempt from the HIPAA privacy and security rules. Similarly, stop-loss coverage is typically not health insurance because it does not pay for medical care. Additionally, an ERISA-exempt HSA program is likely not considered to be a health plan subject to HIPAA's privacy and security requirements.
With a fixed indemnity (e.g., hospital indemnity) or specific illness (e.g., cancer insurance) policy, the particular coverage terms must be reviewed. Generally, coverage that pays a flat amount per day for hospitalization or illness without regard to medical services received is not considered to be a health plan. However, policies that provide reimbursement based on the medical care received likely are health plans subject to HIPAA privacy and security rules.
A wellness program included as part of the major medical plan or a stand-alone wellness program providing medical care (e.g., medical testing with individual results) would normally be required to comply with HIPAA's privacy and security requirements. The same would be true for an employee assistance plan that provides mental health coverage (since that is medical care).
Accordingly, employers should review their various benefits carefully and determine which are health plans subject to the HIPAA privacy and security rules. Insurers and health plans that will be disclosing PHI to a plan service provider should enter a BAA with the service provider. Generally, the insurer would enter the BAA for a fully insured plan, and the employer/plan sponsor would enter the BAA on behalf of a self-insured plan.
However, if the benefit plan serviced is not a health plan, then a BAA would not be appropriate because the HIPAA privacy and security rules would not be implicated. Rather, for non-health plans that will be disclosing confidential data to a plan service provider, the parties could consider entering a nondisclosure or confidentiality agreement.
Of course, employers are always advised to consult with their legal counsel for specific advice and guidance regarding any contractual agreements (including BAAs and nondisclosure or confidentiality agreements).