EDI Privacy Requirements impact on parties
EDI privacy requirements should be analized regarding parties. The employer/plan sponsor is not a covered entity. Technically he does not have to directly comply with the Privacy Regulations. However, employers and plan sponsors will indirectly be impacted. The general health plan (GHP) or its insurer or business associate may not disclose protected health information to the employer unless certain conditions are met. For example, the employer will have to provide a certification to GHP. The plan documents will have to be amended, and the disclosure must be necessary for the employer to carry out plan administration functions. Access to PHI then must be restricted to only those employees performing certain administrative functions.
According to the HIPAA mandate, brokers are not covered entities. Technically they are outside the direct scope of the Privacy Regulations. However, brokers will be impacted greatly. Of significant impact to brokers are the rules regarding what PHI a GHP — or its insurer or business associate — can provide to the broker. The GHP — or its insurer or business associate — may not disclose PHI to a broker unless certain conditions are met. Anthem Business Associate Agreement must be in place and signed by the broker. Without this signed agreement, Anthem will not be able to continue its current business relationship with a broker.
EDI privacy requirements application to summary health information
EDI privacy requirements apply to summary health information (SHI). However, there are certain provisions that allow a group health plan/its insurer/business associate to share SHI with the employer/plan sponsor, without the necessity of the employer/plan sponsor providing a certification to the GHP, or amending plan documents. This SHI only may be disclosed to the employer/plan sponsor if it has been requested for the purpose of obtaining premium bids from health plans, or modifying, amending, or terminating the group health plan.
De-identified information (DII) and EDI privacy requirements
The Privacy Rule has a provision for a category of information called de-identified information. De-identified information requires the removal of a number of key data elements (including, but not limited to, name, address, Social Security number, date-of-birth, etc.). However, before information may be classified as “de-identified,” all identifiers as mandated by the rule must be removed, or a statistician must certify that the information cannot be linked to a person. If information is truly DII, then none of the privacy requirements apply to that data.