Can a group health plan, or health insurance issuer with respect to a group health plan, disclose to the plan sponsor the protected health information (PHI) required by the Centers for Medicare and Medicaid Services (CMS) for the retiree drug subsidy, without obtaining the individual’s authorization?
Yes, when the conditions set forth in 45 CFR 164.504(f) of the HIPAA Privacy Rule have been met. Specifically, 45 CFR 164.504(f)(3)(i) allows a group health plan or a health insurance issuer with respect to the group health plan – or its business associate – to disclose PHI to a plan sponsor to carry out plan administration functions as long as it meets the requirements of 45 CFR 164.504(f)(2). As such, where the plan sponsor is carrying out the plan administration function of submitting to CMS the PHI required by 42 CFR 423.884 for the retiree drug subsidy, 45 CFR 164.504(f)(2) sets forth how the group health plan’s plan documents are to be amended to allow the group health plan to permit its health insurance issuer (or business associate, such as a third party administrator) to disclose PHI, without the individual’s authorization, to the plan sponsor of the group health plan. As with other disclosures for plan administration functions, the PHI disclosed must be limited to the minimum necessary to fulfill the requirements of 42 CFR 423.884.