Overview:
Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or (iii), or as authorized under § 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan.
Action Items:
1) Obtain and review plan documents. Evaluate and determine that, except when the only EPHI disclosed to a plan sponsor is in accordance with 45 CFR § 164.504(f)(1)(ii) or (iii) or authorized under 45 CFR § 164.508, that the plan documents provide that the plan sponsor will reasonably and appropriately safeguard EPHI created, received, maintained or transmitted to or by the plan sponsor on behalf of the group health plan.
Related Documents:
1) Plan Documents
Additional Guidance:
The second standard in § 164.314 is the Requirements for Group Health Plans. The standard requires a group health plan to ensure that its plan documents require the plan sponsor to reasonably and appropriately safeguard EPHI that it creates, receives, maintains or transmits on behalf of the group health plan. (See 45 CFR § 164.314(b)(1).) Specific exceptions to this requirement are provided when the only EPHI disclosed to a plan sponsor is disclosed pursuant to permitted disclosures under the HIPAA Privacy Rule, specifically § 164.504(f)(1)(ii) or (iii), or as authorized under § 164.508. In other words, the Security Rule generally requires that if the plan sponsor of a group health plan has access to EPHI beyond summary information and enrollment information or to EPHI other than that which has been authorized under § 164.508, the plan documents must contain language similar to that already required by the Privacy Rule.
Article ID: 489
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-requirements-for-group-health-plans-164-314-b-1-489.html