References available upon request.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and personal health information (PHI), applying to health plans, clearinghouses, and providers. It limits authorized uses and disclosures of PHI without patient consent, grants patients rights to access and correct their records, and mandates, via the HHS Office for Civil Rights, that covered entities provide a Notice of Privacy Practices. [1, 2, 3, 4]
Employers can generally discuss the structure of their group health plans with third parties (such as brokers, consultants, or prospective administrators) without violating HIPAA, provided they do not share Protected Health Information (PHI) identifying specific employees. HIPAA requires that when sharing plan information with third-party service providers (Business Associates), a written contract must be in place to ensure confidentiality.
