Amend group health plan document for employer use of protected health information
Issue:

To conduct various plan administrative functions, our benefits personnel will need access to employees' protected health information (PHI). How can we obtain PHI without getting a signed authorization from each employee?
Answer:    

If an employer wants access to PHI for plan administrative functions (e.g., quality assurance, claims processing, auditing, and monitoring) without authorization, it must amend the group health plan document to impose specified limits on the use and disclosure of the information. For example, use must be limited to plan purposes and access restricted to a specified group of individuals involved in plan administration. The employer also will be required to certify that the plan amendments have been made and that it agrees to follow the applicable restrictions.

Amending plan document. For an employer to use and disclose PHI, the plan document must be amended to do the following:

  • Establish the permitted and required uses and disclosures of such information by the plan sponsor, consistent with the privacy rules
  • Provide that the plan will disclose PHI to the employer only with certification that the employer agrees to the following:

    (A) Not use or further disclose the information other than as permitted or required by the plan documents or as required by law;

    (B) Ensure that any outside parties to whom it provides protected health information agree to the same restrictions and conditions that apply to the employer;

    (C) Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan;

    (D) Report to the group health plan any known inconsistent use or disclosure of the information;

    (E) Make available information in accordance with the rules regarding individual access to PHI;

    (F) Make available protected health information for amendment and incorporate any amendments to PHI;

    (G) Make available the information required to provide an accounting of disclosures;

    (H) Make internal practices, books, and records relating to PHI available to the Department of Health and Human Services for purposes of determining compliance; and

    (I) If feasible, return or destroy all PHI that the employer still maintains in any form and retain no copies of such information.
[ Return to top of document ]