Question:  An employer  is moving to “hotel” seating for all employees. Do they need to designate a separate private workspace for employees who have access to PHI?

Compliance Team Response:

Employers that have a self-insured health plan need to maintain a HIPAA firewall  that ensures  only those employees who need access to PHI for plan administrative functions are permitted to use or disclose the plan’s PHI.  This ensures the privacy of the information and that the information is not used for employment-related purposes (which is prohibited by HIPAA).

It’s important the employer have the ability to keep access to electronic information, paperwork, and conversations that include PHI restricted to only those  workforce members  with a plan-related need  to know the information (i.e., those  individuals who job duties  include some plan administrative functions).

If these employees expect to be discussing PHI regularly, it would be appropriate to have a separate space  designed to accommodate those conversations without anyone  overhearing. However, it is common for benefits professionals to simply  limit their conversations that include PHI to conference rooms, call rooms, or other private areas that are available  on-demand. PHI-related discussions typically are not so common that it would  be a burden  to move to a private space where  needed.

Keep in mind that employee enrollment and disenrollment information {that does not include any substantial clinical  information} maintained by the employer is not PHI protected by HIPAA.  That information is considered an employment record rather than PHI held by the plan.  That major exclusion from the definition of PHI limits the frequency in which PHI will be discussed by employees whose job duties are related to the plan.

Regulations:

45 CFR §164.504(f):_(2) _Implementation specifications: Requirements for plan documents.

The plan documents of the group health plan must be amended to incorporate provisions to:

o     (i) Establish the permitted and required uses and disclosures of such information by the plan sponsor, provided that such permitted and required uses and disclosures may not be inconsistent with this subpart.

o     (ii) Provide that the group  health plan will disclose  protected health information to the plan sponsor  only upon receipt  of a certification by the plan sponsor  that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to:

• (A) Not use or further disclose the information other than as permitted or required by the plan documents or as required by law;

• (B) Ensure that any agents to whom it provides protected health information received from the group  health plan agree  to the same restrictions and conditions that apply to the plan sponsor  with respect  to such information;

• (C) Not use or disclose the information for employment-related actions and decisions or in connection with any other  benefit or employee benefit plan of the plan sponsor;

• (D) Report to the group health plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware;

• (E) Make available protected health information in accordance with §164.524;

• (F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526;

• (G) Make available the information required to provide an accounting of disclosures in accordance with §164.528 ;

• (H) Make its internal practices, books, and records  relating  to the use and disclosure of protected health information received from the group  health plan available to the Secretary for purposes of determining compliance by the group  health  plan with this subpart;

• (I) If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies  of such information when no longer  needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further  uses and disclosures to those  purposes that make the return or destruction of the information infeasible; and

• (J) Ensure that the adequate separation required in paragraph (f)(2)(iii) of this section is established.

o      (iii) Provide for adequate separation between the group  health plan and the plan sponsor. The plan documents must:

• (A) Describe those employees or classes of employees or other persons under  the control of the plan sponsor  to be given  access to the protected health information to be disclosed, provided that any employee or person who receives protected health information relating  to payment under, health care operations of, or other matters pertaining to the group  health plan in the ordinary course of business  must be included in such description;

• (B)** Restrict the access to and use by such employees and other persons  described in paragraph (f)(2)(iii){A) of this section to the plan administration functions that the plan sponsor performs for the group health plan;** and

(C) Provide an effective mechanism for resolving any issues of noncompliance by persons described in paragraph (f)(2)(iii)(A) of this section  with the plan document provisions required by this paragraph.

_(3) _Implementation specifications: Uses and disclosures. A group health plan may:

o     ** (i) Disclose protected health information to a plan sponsor to carry out plan administration functions that the plan sponsor performs only consistent with the provisions of paragraph (f)(2) of this section;**

o      (ii) Not permit  a health insurance issuer or HMO with respect to the group  health plan to disclose protected health information to the plan sponsor  except  as permitted by this paragraph;

o      (iii) Not disclose and may not permit  a health insurance issuer or HMO to disclose protected health information to a plan sponsor  as otherwise permitted by this paragraph unless a statement required by §164.520(b)(1)(iii)(C) is included in the appropriate notice; and

o      (iv) Not disclose protected health information to the plan sponsor  for the purpose of employment-related actions or decisions  or in connection with any other  benefit  or employee benefit plan of the plan sponsor.

45 CFR §160.103:

_Protected health information _means individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i) Transmitted by electronic media;

(ii) Maintained in electronic media; or

(iii) Transmitted or maintained in any other form or medium.

(2) Protected health information excludes individually identifiable health information:

(i) In education records  covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);

(iii) In employment records  held by a covered entity in its role as employer; and

(iv) Regarding  a person who has been deceased for more than 50 years.

67 Fed. Reg. 53181, 53208 (Aug. 14, 2002):

https://www.gpo.gov/fdsys/pkq/FR -2002-08-14/pdf/02-20554.pdf

While the standard  enrollment and disenrollment transaction does not include any substantial clinical information, the information provided as part of the transaction may indicate whether or not tobacco use, substance abuse, or short, long-term, permanent, or total disability is relevant, when such information is available. However, the Department clarifies  that, in disclosing or maintaining information about an individual’s enrollment in, or disenrollment from, a health insurer  or HMO offered  by the group health plan, the group health plan may not include medical information about the individual above and beyond that which is required or situationally required by the standard transaction and still qualify  for the exceptions for enrollment and disenrollment information allowed under the Rule.

65 Fed. Reg. 82461, 82496 (Dec. 28, 2000):

https://www.gpo.gov/fdsys/pkq/FR -2000-12-28/pdf/00-3 2678.pdf

The preamble to the Transactions Rule noted  that plan sponsors of group  health plans are not covered entities and, therefore, are not required to use the standards  established in that regulation to perform electronic transactions, including enrollment and disenrollment transactions. We do not change that policy through this rule. Plan sponsors that perform enrollment functions are doing so on behalf of the participants and beneficiaries of the group health plan and not on behalf of the group health plan itself. For purposes of this rule, plan sponsors  are not subject  to the requirements of§ 164.504  regarding group  health plans when conducting enrollment activities.

65 Fed. Reg. 82461, 82646 (Dec. 28, 2000):

https://www.gpo.gov!fdsys/pkg/FR-2000-12-28/pdf/00-32678.pdf

We agree with the commenters that firewalls  are necessary to prevent unauthorized use and disclosure of protected health information.** Among the conditions for group  health plans to disclose information to plan sponsors, the plan sponsor  must establish  firewalls  to prevent unauthorized uses and disclosures of information. The firewalls include: describing the employees or classes of employees with access to protected health information; restricting access to and use of the protected health information to the plan administration functions performed on behalf of the group health plan and described in plan documents; and providing an effective mechanism for resolving issues of noncompliance.**