What if I only receive summary health information and conduct enrollment / disenrollment activities?
A health plan, regardless of size, is exempt from many of the HIPAA privacy requirements if (1) the plan provides health benefits only through an insurance contract with a health insurer or an HMO, and (2) the plan does not create or receive any individually identifiable “protected health information” other than summary health information (i.e., information which has had all identifiers deleted from it other than some geographic information) and basic enrollment and disenrollment information. Note: This same exemption does not apply to the security standards. Because the plan does receive some limited protected health information, such as enrollment and eligibility information, the plan should get a business associate agreement with their agent/broker or anyone else doing anything on their behalf that receives PHI. Note: Under HIPAA, the plan is not required to get a business associate agreement with the insurance carrier/HMO (e.g., Medica, HealthPartners, BCBS) or the plans sponsor/em
Related Questions
- If a federal agency contracts with a private or other entity to conduct certain activities of the agency, does the Executive Order apply to the activities of the contractor?
- Upon joining can one arrange meetings/seminars, publish advt. materials and conduct any promotional activities?
- Next entry: Are there limits on how much foreign activities a Canadian charity can conduct?
