The Self-Funded ERISA Plan Tackles HIPAA Privacy, as appeared in The Self Insurer

On April 14th, regulations governing the privacy of individually identifiable health information (so-called "protected health information" or "PHI") were promulgated by the United States Department of Health and Human Services ("DHHS").1 These regulations are commonly known as the "HIPAA privacy rule" because they were issued as part the administrative simplification provisions of the Health Insurance Portability and Accountability Act ("HIPAA"). These provisions were generally intended to reduce the costs of health care financing by standardizing the electronic communication of a number of transactions around enrollment, precertification and claims submission.

The HIPAA privacy rule does not simply apply to insurance companies and HMOs (so-called "issuers" under the rule). In most cases, it also treats the ERISA welfare benefit plan itself as a covered entity "health plan".2 As a covered entity, the ERISA plan must: a.) use and disclose PHI only as permitted by the rule; b.) implement certain beneficiary rights (e.g., rights of access, to amend and receive an accounting); and c.) undertake a number of administrative steps (appoint a privacy officer, develop a complaint procedure and institute training) unless it fully insures its benefits.

Within its requirements around the use and disclosure of PHI, the Privacy Rule is especially rigorous as to the ERISA plan's potential disclosure of PHI to the plan sponsor. The remainder of this article explores several of the challenges affecting ERISA plan/plan sponsor communications in the HIPAA privacy era.

Employer as Plan Sponsor and Plan Business Associate

The preamble to the final rule labels the ERISA plan as a separate legal entity from the sponsor. In identifying the plan as distinct from the sponsor, the rule seeks a "Chinese wall" between those handling PHI for the plan and the remainder of the sponsor's employees. Moreover, under the logic of the privacy rule, the employer's performance of functions for the covered entity/plan should make it a business associate of the ERISA plan.

The Preamble notes that a business associate contract would be required between the ERISA plan and the sponsor if it were not for the special rules set forth in Section 504(f)(2). Section 504(f)(2) enshrines the plan documents as a home for the promises between the plan and the plan sponsor that would normally be the province of the business associate addendum between the covered entity health plan and any other service provider to the plan.

To this observer, the methodology for the new limitations on disclosures to plan sponsors seems to cascade from regulatory compromise. Undoubtedly, those drafting the privacy rule sought to adhere to the limitations of the legislation (excluding employers from the ranks of covered entities) while at the same time addressing the concern that welfare benefit plan information might be used in employment related decisions. It is likely that DHHS' attempt to honor Congress' intention to keep employers beyond the pale was frustrated by the degree of involvement of employers in the ERISA welfare benefit plans that are covered entities under the rule.

Employers can, in fact, be too intimately involved with the welfare benefit plans that they have created for the regulatory regime to ignore. Employers often are the welfare benefit plan's sponsors and may carry out many functions for the welfare benefit plan. Moreover, many of the consumer's deepest fears with respect to the confidentiality of health information are grounded in fears of the consequences of the use of that information in an employment context. Thus, while we may be surprised at the oblique way the final rule begins to govern the privacy of health information in the work place, we can scarcely be surprised that the subject has arisen.

Option of Obtaining Authorization

Disclosures of PHI to the plan sponsor, either directly by the ERISA plan or indirectly through an issuer or plan service provider, must be guided by Section 504 unless they are the subject of a specific authorization meeting the requirements of Section 508 of the regulation. An authorization meeting the requirements of Section 508 must, among things, in a meaningful fashion: identify the specific persons or classes of person that are authorized to make the disclosure; identify the persons or classes of persons to whom the disclosure would be made; contain a relevant expiration date; and include a statement of the individual's right to revoke the authorization. The authorization should be obtained from each beneficiary capable under state law of granting consent - not simply a subscriber. The detailed nature of the authorization and the need to reach all beneficiaries may cause the Section 508 authorization to be disfavored as a method of ERISA plan compliance with the use and disclosure rules.

504(f)(1)/ Disclosures Permitted Without Certifications

Alternatively disclosures to plan sponsors are permitted under Section 504(f)(1) where they are limited to "summary health information" and are requested by the sponsor for the purpose of obtaining premium bids or for the purposes of modifying, amending or terminating the ERISA plan. ERISA lawyers would deem the later set of functions to be plan "settlor functions". Summary health information is the rough equivalent (it includes geographic information) of the deidentified information which falls outside the governance of the final rule's use and disclosure restrictions.

It is interesting that the rule chooses to place the responsibility for policing disclosures to plan sponsors on the ERISA plan and derivatively on the plan's business partners.3 This suggests that ERISA plans (or employers contracting on their behalf) should incorporate Section 504(f) covenants in their agreements with insurers and ASO services providers. Of course this caution does not neatly fit the marketplace reality of ASO agreements being authored by the service provider. Thus, it is the ASO vendors who may need to anticipate the needs and provide their customers with the § 504(f) protections they need.

The focus of § 504(f) on the plan raises many interesting wrinkles. Thus, those deputized as fiduciaries by the plan documents must take steps to protect plan beneficiaries' PHI from the predations of the plan sponsor — often the employer of those fiduciaries. Think also about penalty scenarios. In theory, the ERISA plan would be penalized for an ASO vendor's disclosure to the employer because the employer, acting as administrator of the same plan, failed to constrain the vendor.

Section 504(f)(2) — The Puzzling Architecture

Section 504(f)(2) sets out several conditions under which information, other than summary information, can be disclosed to the plan sponsor. In substance, they resemble the business associate covenants that might otherwise be applicable. In effect, the Section calls upon the ERISA plan's "plan documents" to be the vehicle for the covenants. Thus, as the business associate contract would normally do, the plan documents must now specify the "permitted and required uses and disclosures" by the plan sponsor which uses cannot be otherwise inconsistent with the Section.

The plan documents are also to be amended to include several ground rules and certain other agreements are to be obtained from the sponsor. It is not at all clear how those sponsor agreements are to be reached. Can the employer qua administrator contract with the employer qua sponsor to get commitments as to the sponsor's uses of PHI?

The amendment of the plan documents seems easier to accomplish but its effectiveness is equally puzzling. It seems that the plan documents may have been made the home of all these covenants because of the lack of juridic identity for the ERISA plan and the concommitant shortage of parties to enter into contracts on these matters.4 However, the enforcement conundrum is: whose actions are to restrain the plan sponsor's breaches? The employer is not a covered entity. Can the Office of Civil Rights reach its breaches?

Moreover, the entity which has obtained the covenants might seek to enjoin the breaches of the covenants. However, if the covenants are in the plan documents, must plan fiduciaries file suit against their employer to restrain their employer's breaches? Does the plan document even act as a contract between the plan and the sponsor?

Section 504(f)(2)(ii)/ The Requirements for All Other Disclosures

The requirements themselves state an important principle and carry some business associate methodology into the plan sphere. However, they also pose some operational and documentation challenges for welfare benefit plans.

The core principle is that the PHI is not to be used or disclosed for employment-related actions and decisions (or in connection with other benefit plans). The imports from the business associate methodology are: a) agreement to report non-conforming uses and disclosures to the ERISA plan; b) agreement to give beneficiaries access to the PHI; c) agreement to give beneficiaries an accounting of certain disclosures of the PHI (those outside treatment, payment and health care operations); d) agreement to give the secretary access to relevant books and records; and e) agreement to return or destroy the PHI when it is no longer needed. On the whole, these are unremarkable except to the extent that the construct of reporting between the plan and the sponsor suggests distinctions between the two that are often blurred in reality.

This same lack of division between the plan and the corporation also produces the most significant operational challenge. The group health plan is to document adequate separation between it and the sponsor. That separation must include a listing in the plan documents of the classes of employees or others with access to the PHI. Moreover, those persons with access must be those necessary for plan administration. The challenge is to think about what is reasonably necessary in this context, define it and then abide by it.

The process of compliance in the area of sponsor communications is multifaceted. First, the situs for the documentation will be a challenge. In the insured context, the plan documents of many welfare benefit plans do not exist beyond the certificate of coverage. Thus, it could fall on the issuer to assist the plan administrator in documenting compliance.

The problem is equally fexing in the self-funded context. In such cases the managed care organization is likely to be acting as the business associate of the ERISA plan. The plan must still find plan documents to be the vehicle for the incorporation of the certifications delineated in Section 504(f)(2)(ii). Here the TPA or other ASO vendor may need to facilitate the drafting of a summary plan description with the appropriate covenants.

An Alternative Pathway To Compliance

Often, in law as in life, what is unsaid may have as much significance as what is explicitly stated. As we have seen above, the privacy regulation goes to great lengths to establish the condition under which PHI could be disclosed by the ERISA plan, an insurer or ASO vendor, to the plan sponsor. Before such communications can occur the beneficiaries must have received notice of such disclosures through amended plan documents and the plan sponsor must have made a series of certifications as to its use of the PHI.

Left unsaid is the fact that plan personnel could receive PHI from plan service providers without enabling amendments to the plan documents and without certifications as to the use of the data. Of course the plan will want to use the data in a manner which is consistent with the spirit of § 504(f) even if the section's strictures do not apply. Thus, plans may wish to develop policies and procedures for the confidential handling of PHI but they may be able to avoid plan document amendments and other steps by taking the time to identify plan personnel with authority and need to receive PHI to the plan's vendors. Specifically, such identification and certification could take place in each TPA, network vendor and other ASO services contract.


The ERISA privacy rule now requires that welfare benefit plans to afford beneficiaries certain access, amendment and accounting rights with respect to individually identifiable health information. It also prescribes the implementation of privacy oversight structures for such plans. Finally, it specifies that plans may only use or disclose PHI in accordance with several public policy collection efforts or the plans' activities in the context of treatment, payment or health care operations.

Disclosures made by plans, directly or indirectly to plan sponsors, are particularly burdened by the rule. The plan must first notify beneficiaries of the possibility of such disclosures through plan document amendments. The plan sponsor must also give certain certifications that it will not use the PHI for employment related decisions.

There is an alternative method of compliance. The alternative method relies on clarifying existing roles and suggests that, to the extent that communication of PHI is necessary, that it travel to the plan rather than the sponsor. This alternative should be carefully reviewed with counsel.

Calendar year 2002 will be a busy year for self-funded ERISA plans as they seek to come into compliance with the final privacy rule. The naming of privacy officers, the promulgation of policy as to PHI use and disclosure and preparations to give beneficiaries notice of their rights, including their access, amendment and accounting rights, will crowd the agenda. However, time should also be devoted to address the issues of information disclosure to persons who might be deemed to be acting for the plan sponsor and to the adoption of a risk management strategy around such communications.


1 The regulations will not be enforced by the DHHS Office of Civil Rights until April 14, 2003. Thus, ERISA welfare plans are currently in a period in which they should be coming into compliance.

2 An ERISA plan with fifty or fewer participants will not be a covered entity unless it is administered by an entity other than the plan sponsor.

3 This conclusion is supported by the language of Section 504(f)(1) "or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO." Similar language can be found in Section 504(f)(3), the so-called "Implementation Specifications" which require the ERISA plan "not to permit" a health insurer or HMO to make a disclosure to the plan outside the Section's parameters.

4 I invite the reader to advance any other explanation for the apparent circularity of Section (f)(2). That Section states that the plan documents are to be amended to provide that the plan will disclose PHI only upon receipt of a certification by the sponsor that the plan documents have been amended!

Please feel free to contact Mark E. Lutes at 202/861-1824 in the firm's Washington, D.C. office if you have any questions or comments. Mr. Lutes' e-mail address is [email protected].

This publication is provided by Epstein Becker & Green, P.C. for general information purposes; it is not and should not be used as a substitute for legal advice.