Have you ever been refused data from your own benefit program? Does this sound familiar? “Im so sorry but I can’t provide you with that data due to HIPPA, as well as our secretive agreements with managed care organizations precludes us from releasing the information you have requested. I know that it is your data, but we just cant give it to you.”
The plan’s ownership of, and entitlement to, its own data is supported and underscored by the fact that service providers specifically state in their agreements that they are not plan fiduciaries, but rather provide services that are generally considered a “ministerial” and not a “fiduciary” activity.
MyHealthGuide Source: Scott Haas, Erik Davis and Terry Killilea, Wells Fargo Insurance Services USA, Inc. (WFIS), 6/9/2012, https://wfis.wellsfargo.com/
The authors conclude that “Given the respective roles of the plan and service providers under both HIPAA and ERISA, service providers are obligated to release to the plan sponsor or their designated agent any and all detailed data elements created in the course of their performance under their service agreement.” Our client is a self-funded health plan seeking access to certain plan data that includes personally identifiable health information (PHI) as well as operational transaction results that a service provider deems to be proprietary.
Frequently, when contracting for an Administrative Services Only (ASO) arrangement with a health insurance company, the insurance company is unwilling to provide detailed line item claims adjudication and enrollment data. Generally, insurance companies refuse to provide this data on the grounds that the contractually allowed fees negotiated with providers and hospitals is proprietary information. They offer additional rationale for refusing to provide this data; including restrictive covenants between them and contracting providers and hospitals and fear of illumination of competitive secrets.
HIPAA Privacy Rule
HIPAA’s privacy and security rules apply to covered entities. Covered entities are required to establish a HIPAA privacy and security infrastructure to protect personal health information (PHI). Self-funded plans are covered entities under HIPAA, and therefore, are required to maintain an infrastructure to protect PHI. WFIS is a Business Associate to our clients who are covered entities under HIPAA and, as a Business Associate, is directly subject to the HIPAA privacy and security provisions.
The Employee Retirement Income Security Act (ERISA) imposes fiduciary responsibilities on plan sponsors to operate and maintain the plan in the best interest of the participants. Plan sponsors, including sponsors of self-funded plans, are subject to those fiduciary obligations.
Self-funded plans are covered entities liable to participants and bound by governmental regulation to comply with HIPAA privacy and security standards. Service providers, such as third-party-administrators (TPA) or insurance carriers, who help self-funded plans, are not covered entities. These service providers generally abdicate fiduciary responsibility to the plans for whom they provide service within the written agreement that governs the relationship between the plan and the administrator.
As such, a service provider is not a covered entity and specifically acknowledges not being an ERISA fiduciary in its administrative service agreement. Again, the self-funded plan is the covered entity and an ERISA fiduciary and the self funded plan (and individuals responsible for its management) are directly liable to its participants. Therefore, the service provider cannot withhold from the plan its own data, including personally identifiable health information and the operational results of transaction management created by a service provider. The withholding of such information puts the plan client at risk from a liability standpoint.
The primary responsibility of fiduciaries is to run the plan solely in the interest of participants and beneficiaries and for the exclusive purpose of providing benefits and paying plan expenses. In addition, they must follow the terms of Plan documents to the extent that the plan terms are consistent with ERISA. They also must avoid conflicts of interest. In other words, they may not engage in transactions on behalf of the plan that benefit parties related to the plan, such as other fiduciaries, services providers or the Plan sponsor.
Fiduciaries that do not follow these principles of conduct may be personally liable to restore any losses to the plan, or to restore any profits made through improper use of plan assets. Courts may take whatever action is appropriate against fiduciaries that breach their duties under ERISA including their removal.
Plan administration, compliance, testing and asset recordkeeping ultimately are the responsibilities of the plan sponsor and the individual fiduciaries within the plan. If the plan is not administered properly by experienced organizations and professionals with appropriate systems, security, procedures, policies and back-up, then the risk for non-compliance with the IRS and Department of Labor (DOL) increases.
The plan’s ownership of, and entitlement to, its own data is supported and underscored by the fact that service providers specifically state in their agreements that they are not plan fiduciaries, but rather provide services that are generally considered a “ministerial” and not a “fiduciary” activity. Service agreements between the service providers and the plan sponsor clearly indicate that they are not acting in a fiduciary capacity since they are serving at the direction of and not making discretionary decisions for the plan sponsor. Ministerial functions are excluded from the definition of fiduciary.
The definition of “ministerial” very clearly indicates that a service provider is subservient to the plan and in no way supports a claim that certain data elements created through the adjudication of services the service provider performs on behalf of the plan entitles them to withhold information from the plan or preclude them from disclosure of proprietary information unique to their organization. This relationship requires obedience and loyalty from service providers to contracted plan sponsors for whom they provide service.
Given the respective roles of the plan and service providers under both HIPAA and ERISA, service providers are obligated to release to the plan sponsor or their designated agent any and all detailed data elements created in the course of their performance under their service agreement.
About the Authors
Erik Davis, Dr. Terry Killilea and Scott Haas work in the Portland, OR office of Wells Fargo Insurance Services USA, Inc. Erik Davis is the practice leader of Integrated Healthcare Metrics. Terrance Killilea, Pharm.D. is Vice President, Integrated Healthcare Metrics -Clinical and Fiscal Integration. Scott Haas is Vice President, Integrated Healthcare Metrics