Aug 21, 2023
Brokers as a HIPAA Business Associates – The Minimum Necessary Rule Applies!
August 2023
Background
There are many rules about appropriate use and disclosure of protected health information (PHI), but one major requirement is known as the “Minimum Necessary Rule". The general idea behind this rule is that even when a use or disclosure of PHI is appropriate, a person should limit the type and amount of information being used/disclosed to the minimum necessary to accomplish the task at hand. While some exceptions apply, this rule should generally be applied whenever using or disclosing PHI for routine or non-routine purposes.
The definition of a ‘business associate’ by the Department of Health and Human Services is:
What Is a “Business Associate? A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.
Business associate functions and activities include:
- claims processing or administration;
- data analysis, processing or administration;
- utilization review; quality assurance;
- billing;
- benefit management;
- practice management; and
- repricing.
Business associate services are:
- legal;
- actuarial;
- accounting;
- consulting;
- data aggregation;
- management;
- administrative;
- accreditation;
- and financial.
Common Violations
There are several ways the Minimum Necessary Rule can be violated. First, sometimes organizations allow too many people to access PHI, or allow people access to more PHI than they need to carry out their responsibilities.
Another common situation occurs when too many people are get involved in an issue. Even if technically it’s permissible to share PHI with somebody (e.g., because there is a business associate agreement in place), that doesn’t mean every disclosure is necessary. It is important to think about who the information is being shared with and consider whether that person really needs to see the PHI to help resolve an issue.
For example, a broker or consultant will often receive compliance-related questions because an employer is trying to resolve some type of compliance issue. The broker or consultant acts as a business associate, so it’s not that sharing PHI with them is necessarily wrong. However, there are essentially no instances in which seeing PHI is necessary for the broker or consultant to assist with a compliance question. Therefore, including PHI in a compliance-related question is unnecessary and therefore a violation of the minimum necessary standard.
Plan Sponsor v. Business Associate Obligations
Plan sponsors must comply with the rule by considering what type of PHI is generally appropriate for the various types of uses/disclosures it engages in. For example, an employer might routinely interact with its TPA for its self-funded plans. Or certain employees responsible for plan administration may routinely work with one another to resolve various types of benefits-related issues. These types of activities should be considered and organizations should have a clear sense for what type of information is appropriate in carrying them out.
But business associates are not off the hook! In general, business associates must also ensure that they are limiting the amount of PHI they use and disclose to the minimum amount necessary to carry out their plan administration functions on behalf of their clients. Business associates, including brokers, should be sure to review the terms of their business associate agreements as well to determine if there are specified limitations on the amount or type of PHI they are permitted to use or disclose on the covered entity’s behalf. Brokers acting as business associates should also have policies in procedures in place that describe how they comply with the requirements of the HIPAA Privacy and Security Rules. These policies will cover many things, but one important thing that should be addressed is exactly how the client’s PHI is handled by the business associate – including who has access to that information, and what the processes are for using and disclosing it.
Conclusions
Compliance with the Minimum Necessary Rule involves a lot of related steps – first, plan sponsors and their business associates must evaluate what type of PHI they interact with, who is responsible for carrying out plan administration responsibilities, then decide which employees should be interacting with that information, make sure those folks receive training, etc. Addressing the Minimum Necessary Rule is impossible without addressing HIPAA compliance as a whole. It’s just one piece of the puzzle.
Resources
HIPAA Business Associate Agreements
While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting, or other professional advice or services. Readers should always seek professional advice before entering into any commitments.
