HIPAA Protections Apply Even When a Crime is Involved

The Memorial Hermann Health System (MHHS) in Houston learned an expensive lesson when it was fined $2.4 million for publicly naming an imposter seeking care at one of its facilities (National Law Review). The patient allegedly presented false identification while attempting to receive care at one of its clinics.

MHHS reported the incident, disclosing PHI to law enforcement, which is permissible under the Health Insurance Portability Act of 1996 (HIPAA). The provider ran afoul of HIPAA by disclosing the patient’s PHI to the media and others without that patient’s authorization.

You’re probably wondering how this is relevant to you. Your company wouldn’t issue a press release if you discovered that employees, former employees, or others were erroneously or fraudulently using your benefits programs. There are three ways this topic is relevant to plan sponsors:

  • You don’t want to pay for ineligible members.
  • You don’t want to violate HIPAA privacy laws when you’re trying to control costs or improve member health.
  • You need to ensure your benefits data is secure, yet accessible so you and your advisors can use it to make strategic program decisions.

I tackle member ineligibility in this blog.

Are You Paying for Ineligible Members?

A no-brainer for curbing your escalating benefit costs is to make sure you’re paying only for members who are plan eligible. Matching eligibility files to member claims is critical, but many employers overlook this critical step.

Who monitors member eligibility?

Carriers, third party administrators, and insurers.

For the most part, they are claims processors with no incentive to monitor eligibility because it could slow down claims processing.

You.

You collect eligibility files, but would need access to PHI to match it to medical claims data. Staff accessing that PHI access would be under the HIPAA microscope.

  • Do you have written policies and procedures in place to comply with the HIPAA Privacy rules and report data breaches?
  • Is your staff properly trained to handle PHI?

Your benefits advisor.

As a business associate, your advisor can access PHI on your behalf, making this a better option. But there still are potential issues:

  • Is your advisor’s staff properly trained to handle PHI? If not, you could still face HIPAA penalties if a business associate violates the law.
  • Does the advisor have the capacity and security to safely handle PHI for you and all its clients?
    • Are secure file transfer protocols in place?
    • How secure is the storage system?
    • How long will the advisor store your data?

A data analytics vendor.

An independent data analytics vendor presents the most protection and options, provided the vendor becomes a business associate. The data analytics vendor considers HIPAA responsibility and help navigate the tricky HIPAA landscape, and offers other benefits:

  • Capacity to securely store your data. As a bonus, most vendors will cleanse your data.
  • Secure transfer policies in place to receive eligibility files directly from you and claims files from your carrier(s). Check the vendor’s retention policy to see how long your data will be stored; polices vary.
  • Ability to integrate and analyze the data to quickly identify ineligible members so your advisor can work with the carrier(s) to have them removed. You never have to handle any sensitive data, which may include PHI.
  • The ability to accept data feeds more frequently, giving you more access to timely data. Before selecting a vendor, investigate how frequently it accepts data feeds and the number of vendors it will accept data from.
  • If the vendor integrates data across your benefits programs, you can get real-time data-driven insight to make strategic decisions.
    • For example, if you are looking only at pharmacy data from your carrier or PBM, you’re missing how much you’re spending on Rx costs covered under the medical benefit, like injectable drugs.

Read “Harness the Power of Data to Control Benefits and Risk Program Costs” to learn more about data integration.

Whichever route you choose, remember that you must protect PHI at all times, even when criminal activity is involved. It is more important than ever since The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has ramped up its HIPAA enforcement efforts in the past few years.

Sashi Segu

Sashi Segu

Sashi Segu, Counsel, has participated in cases and provided legal expertise on HIPAA, ERISA, privacy, compliance, and other healthcare-related fields. Sashi left Innovu in March 2019 to pursue other interests.

Related Blogs

Using Data Analytics to Manage Your Rx Costs: Part 2

Last week my blog focused on two danger zones that can increase your year-end prescription drug expenditures and derail your fiscal budget. This week I...


Using Data Analytics to Manage Your Rx Costs: Part 1

Ah, Spring! At home the birds are chirping, tulips are blooming, and your annoying neighbor is running the lawnmower at 7:00 am on a Saturday!...


Do Healthcare Giant Mergers Benefit Consumers?

Mergers of healthcare giants have made big news. If you’re like most of us, you’re asking: Why would a Prescription Benefit Manager (PBM) buy an...