Does a State Exchange Have to Comply with HIPAA? HIPAA & HITECH Act Blog by Jonathan P. Tomes and Guest Commentator Richard D. Dvorak


Last week, NBC affiliate station WGRZ contacted EMR Legal regarding our opinion whether the New York health care exchange had committed a Health Information Portability and Accountability Act of 1996 (“HIPAA”) violation. The state exchange had sent a broadcast email message to hundreds of individuals who had electronically enrolled with the exchange. The email message was a reminder to all those who had registered that they needed to select a health plan before March 31, 2014. Unintentionally, the message disclosed the email addresses of every recipient of the message.

New York State established its own state-based exchange called the New York State of Health Marketplace rather than just having its residents enroll in the federal government’s exchange. Whether and to what extent the disclosure was a HIPAA violation or a violation of the privacy provisions of the federal exchange standards in the Patient Protection and Affordable Care Act (“PPACA”), or both, is not an easy question to answer and one that I could not fully respond to in the limited time of the interview—hence, this blog item. Because my partner, Jonathan P. Tomes, the President of EMR Legal, my consulting firm, had done work for New York and California clients on this issue, we wrote this blog post together.

An organization involved in a state exchange program may have to comply with HIPAA in one of three ways: (1) The state law establishing its exchange specifies that it must comply with HIPAA, (2) even if state law does not specify that its exchange must comply with HIPAA, the PPACA specifies that, if it performs the functions of a HIPAA covered entity, it must comply with HIPAA, and (3) it qualifies as a business associate of qualified health plans to whom it refers individuals and, hence, then must follow HIPAA’s business associate security and privacy requirements.

The Department of Health and Human Services (“DHHS”) side-stepped the HIPAA issue when it published rules in March 2012 dealing with the establishment of exchanges. In response to commentators seeking clarification as to whether an exchange would be subject to HIPAA as a business associate, DHHS said that each state would determine the applicability of HIPAA to its exchange. DHHS added “clarifying” language to 45 C.F.R. § 155.200 saying that, to the extent that an exchange performs “minimum functions” described in the regulation, it would not be acting on behalf of a qualified health plan offering coverage on the exchange and so would not be subject to HIPAA.

New York, unfortunately, was unable to pass such a statute, and its exchange was created by executive order, which does not mention its exchange’s HIPAA status. Thus, HIPAA applies only if it performs the minimum functions or is acting as a business associate of a qualified health plan.

To the extent that, if the New York State of Health Marketplace must comply with HIPAA and it sent out email addresses to not only the intended individual but also to other individuals, such a disclosure was neither consented to by the individuals nor authorized by PPACA or any other law or regulation and would be a breach.

Even if HIPAA does not apply, exchanges are still required to abide by the PPACA privacy and security requirements set forth in 45 C.F.R. § 155.260 (which can be seen as “HIPAA-lite” standards), but they are subject to full-fledged HIPAA requirements only if they perform functions other than or in addition to those described in § 155.200. Under the PPACA, the term “personally identifiable information” (“PII”) that exchanges must protect is defined by reference to the Office of Management and Budget (“OMB”) Memorandum M-07-16. That memorandum defines PII as information that can be used to distinguish or trace an individual’s identity, such as the individual’s name, Social Security number, biometric records, and so forth, alone or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, motherʼs maiden name, and the like. It would seem as if an email falls within this broad definition and would be protected by the PPACA even if HIPAA does not apply. PPACA states in pertinent part:

Sec. 155.260 Privacy and security of personally identifiable information.

(a) Creation, collection, use and disclosure. (1) Where the Exchange creates or collects personally identifiable information for the purposes of determining eligibility for enrollment in a qualified health plan; determining eligibility for other insurance affordability programs, as defined in 155.20; or determining eligibility for exemptions from the individual responsibility provisions in section 5000A of the Code, the Exchange may only use or disclose such personally identifiable information to the extent such information is necessary to carry out the functions described in Sec. 155.200 of this subpart.

(2) The Exchange may not create, collect, use, or disclose personally identifiable information while the Exchange is fulfilling its responsibilities in accordance with Sec. 155.200 of this subpart unless the creation, collection, use, or disclosure is consistent with this section.

(3) The Exchange must establish and implement privacy and security standards that are consistent with the following principles:

(v) Collection, use, and disclosure limitations. Personally identifiable health information should be created, collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately;

(4) For the purposes of implementing the principle described in paragraph (a)(3)(vii) of this section, the Exchange must establish and implement operational, technical, administrative and physical safeguards that are consistent with any applicable laws (including this section) to ensure—

(i) The confidentiality, integrity, and availability of personally identifiable information created, collected, used, and/or disclosed by the Exchange; (emphasis added).

As of March 11, 2014, DHHS amended the above rules at 45 C.F.R. § 155.260, with an effective date of May 12, 2014, to more clearly specify that a non-exchange entity—that is, any individual or entity that (i) gains access to PII submitted to an exchange or (ii) collects, uses, or discloses PII gathered directly from applicants, qualified individuals, or enrollees while that individual or entity is performing functions agreed to with the exchange—must maintain security and privacy safeguards as detailed above.

Thus, sending to all enrollees all other enrollees’ email addresses would seem to violate the PPACA regardless of whether it also violates HIPAA.

Either law would require an exchange to implement reasonable and appropriate security measures and privacy protections to ensure that this type of breach does not occur or, as in this case, does not recur.

See Richard Dvorak’s interview here:

seo by: k.c. seo