A Broker & Reinsurer for one of my fully insured groups that is leaving us in October is asking for the diagnosis codes for large claimants. That is a HIPAA no can do correct?
Google says it is OK so long as there is no IIHI as well. But I am still not convinced.
We have an exhibit giving them the following:
STATUS: Active/Deceased/Terminated
RELATIONSHIP: EE/SPOUSE/CHILD
DIAGNOSIS CATEGORY (1 of 25 possible)
$Medical
$Rx
The combo of STATUS and RELATIONSHIP could point to an individual is where I am concerned
Iâm not a HIPPA expert or even someone who works on Health.
However in my companyâs annual mandatory privacy training, one of the last slides is the directive âif you have questions or are the least bit uncertain contact [address of a âprivacy complianceâ mailbox]â. If your company doesnât have something similar (if theyâre of any size, they should), reaching out to an appropriate legal/compliance person would be the best way to go.
Iâm not a full-on expert but I think this is kosher, though Iâd want to clear it with legal to be sure. I know my broker has provided similar information on our plan. We had a high claimant and we were told it was the spouse of a current employee, and they opined about the likelihood of the high cost continuing so we could budget for that if needed.
This is pretty typical information used by brokers when obtaining stop-loss coverage for a group.
HIPAA includes a Safe-Harbor provision that lists all the fields that need to be eliminated from a dataset before it is considered properly de-identified. None of those fields are in that list, but if you feel that a list of large claimants from a small group constitutes a possible re-identification risk, then you are under no obligation to provide the data.
As others have mentioned, contact your internal legal dept.