Group Health Plan's Glossary
of the privacy rule include those to have personnel designations, training, safeguards, complaint handling, sanctions, mitigation of harm, and current policies and procedures. These are not required if only summary information is exchanged between the GHP and plan sponsor. However, in all cases, GHP must comply with the requirement to refrain from intimidating or retaliatory acts for participation in any process established by the privacy rule or the filing of a complaint and the prohibition of requiring individuals to waive their privacy rights.
is required from the plan sponsor if the GHP provides PHI to the plan sponsor. The certification is similar to abusiness associate agreement, but explicitly requires certification that the plan sponsor will not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor.
Employment-related health information
is not a term expressly used in HIPAA, but is indirectly described by excluding individually identifiable health information in employment records held by a covered entity in its role as employer from the definition of PHI. Employment-related health information may include information concerning pre-employment physical exams, drug and alcohol screening, fitness for duty tests, medical absence, workers compensation claims, disability leave, and Family Medical Leave Act.
Plan administration functions
are those administrative functions performed by the plan sponsor of a GHP on behalf of the plan (such as enrollment of an individual in the plan), and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan (such as life insurance benefits) of the plan sponsor.
is an agreement between the plan sponsor and GHP that explains how the plan will be administered. The privacy rule requires that if the plan sponsor receives PHI, the plan document must be amended to establish permitted and required uses and disclosures of the PHI and provide certification of protections.
is the entity that ultimately pays for the coverage, benefit, or insurance product. A sponsor can be an employer, union, government agency, association, or insurance agency. Plan sponsors may obtain SHI for the purpose of obtaining premium bids or modifying, amending, or terminating the group health plan. The plan sponsor may also be supplied information from the GHP as to whether an individual is participating in the plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan. Organizational separation must be provided for in the amendments to the plan document if the plan sponsor receives PHI from the GHP, insurance issuer, or HMO with respect to the GHP. The amendment must describe the employees or classes of employees or other persons under the control of the plan sponsor to be given access to PHI, restrict access to and use by such employees and other persons to the plan administration functions that the plan sponsor performs for the GHP, and provide a mechanism for resolving issues of non-compliance.
Summary health information (SHI)
is information that summarizes the claims history, claims expenses, or types of claims experienced by individuals for whom a plan sponsor has provided health benefits under a GHP. SHI must have identifying information deleted (per the privacy rules de-identification requirements), except that the geographic information need only be aggregated to the level of a five-digit ZIP code. Because the health information retains the ZIP code, HIPAA states that this may be individually identifiable health information, but does distinguish it from PHI.
: Web Extra.
Journal of AHIMA
74, no.3 (2003).