By: HUB’s EB Compliance Team

“HIPAA is a sometimes confusing and obtuse federal law….” Wilson v. Unitedhealthcare Insurance Company (4th Cir. 2022). Even so, it is nevertheless important for plan sponsors to understand their HIPAA obligations. This is especially true when they receive requests from third parties. While the case involved a health insurer, it is instructive to plan sponsors on how they should respond when receiving these letters (and how they should push their service providers to respond).

The Facts

This case involves a clash between claims procedures under the Employee Retirement Income Security Act (“ERISA”) and the requirement to keep individually identifiable health information private under the Health Insurance Portability and Accountability Act (“HIPAA”).

Under the facts, a minor, JW, received residential treatment for certain mental illnesses. The insurer denied the treatments as not medically necessary. JW’s parents engaged a lawyer to assist in contesting the claim denials. The lawyer wrote the insurer stating that the lawyer represented JW and requesting all documents relevant to JW’s claims. The request included a HIPAA authorization directing the insurer to provide documents to the lawyer, but the signature on the authorization was illegible, it was on the incorrect line of the form, and the form was missing other key details. As a result, the insurer did not provide any documents to the lawyer or respond in any way.

Normally, under ERISA, someone claiming benefits must go through the plan’s appeal process (and, in some cases, external review) before suing in court. Among other claims in the lawsuit, JW’s parents, on JW’s behalf, said that they were excused from this requirement. In short, they argued the insurer’s failure to respond at all to the attorney’s letters meant the claim had effectively been denied.

The insurer argued that because the HIPAA authorization form was defective, it could not provide any response to the lawyer.  Doing so would effectively acknowledge that JW had received treatment, which would itself be health information the insurer could not disclose. The argument turned on a clash of two sets of legal rules.

ERISA v. HIPAA

Under the ERISA claims procedures, a person making a claim against the plan (called a “claimant”) is entitled to “all documents, records, and other information relevant to the claimant’s claim for benefits” among other internal guidelines or protocols that were used in denying the claim.  ERISA also provides that participants are entitled to plan documents upon request. Finally, ERISA allows claimants to designate representatives (like attorneys) to pursue claims on their behalf. Notably, ERISA does not specify how to designate a representative. Instead, it leaves it to each plan to establish a reasonable process.

By contrast, HIPAA authorizations must meet very specific requirements. If those requirements are not met, then protected health information may not be disclosed to the representative. Those requirements include, among others, a signature and date. Additionally, if the authorization is signed by a personal representative (such as the parent of a minor, as in this case), a description of that person’s authority must also be provided. It was not, in this case.

As is perhaps apparent, ERISA’s broad disclosure obligations in the context of claims and relatively loose authorization standard is somewhat at odds with HIPAA’s more narrow focus on protected health information and more stringent requirements for disclosing that information.

What’s an insurer to do?

The insurer fundamentally made two arguments:

  1. Providing any information in response to the defective HIPAA authorization would be effectively acknowledging that JW was receiving treatment and therefore violate HIPAA; and
  1. Even alerting the attorney to the defective HIPAA authorization could itself violate HIPAA.

The idea seems to have been that such disclosures would be acknowledging, indirectly, that the medical information referenced in the attorney’s letter regarding JW’s claims was true.

Splitting the Difference

The Court was unpersuaded, at least partially.

As to general information, like plan documents or medical necessity guidelines, the Court ruled that a valid ERISA designation (which the lawyer seemed to have) was enough to trigger disclosure of those items. The Court held that these were general documents that apply to all beneficiaries in the plan and were not specific to JW. Under ERISA’s broader disclosure obligations, these documents could be and should have been disclosed.

On more specific information, the Court agreed with the insurer that the claims information specific to JW could not be disclosed due to the defective HIPAA authorization.

Don’t Just Sit There

The Court also took a dim view of the insurer’s complete silence in response to the attorney. First, as noted, the Court determined that generic documents should have been provided.

Additionally, the Court said that ERISA’s fiduciary rules obligated the insurer to notify the attorney of the defective authorization. The Court emphasized that this is a narrow holding. It is not as though the carrier (or a plan sponsor) has to lead claimants by the hand through the claims process. However, where the claimant (or the claimant’s purported representative) has made a good faith attempt to seek information that has a minor deficiency, ERISA’s overarching fiduciary duties require that the insurer reach out to let the requester know that the HIPAA authorization is deficient. Silence is likely not an appropriate answer.

Takeaways for Employers

While most employers rely on their insurers or third-party administrators (“TPA”)/administrative services only (“ASO”) provider to handle claims issues, requests do occasionally come to employers. This case is instructive that employers should not just stay silent, even if the HIPAA authorization is defective in some manner. Employers should consider taking the following actions:

  1. Reach out to the carrier/TPA/ASO provider for the plan to coordinate a response. In many cases, by the time the employer receives the letter, it has already been sent to the carrier/TPA/ASO provider.
  1. Don’t treat a defective notice or incomplete authorization as license to do nothing. This case strongly suggests that some level of response should be given to a good faith attempt to engage the plan.

  1. Don’t treat a defective notice or incomplete authorization as perfect either. This case is also pretty clear that a plan sponsor or other person receiving these notices does not have to completely overlook defects. Requiring the requesting party to meet HIPAA’s requirements is not only reasonable, it’s necessary.

    Additionally, while it was not a feature of this case, plan sponsors should be aware that there are law firms or other entities that sometimes send demand letters “in bulk” for out-of-network providers. In many cases, these letters do not adequately designate these law firms or other entities as designated representatives under the terms or procedures of the plans and may make demands that aren’t required to be answered under ERISA. The HIPAA authorizations may be defective as well (if they are present at all).  All of this is to say that some level of analysis and thoughtful consideration is required.

  1. If there are any concerns, consult with competent ERISA counsel. Usually, by the time a lawyer is involved something has gone wrong anyway. If it’s a large enough claim, consider involving competent ERISA counsel to assist in the response.

If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.

NOTICE OF DISCLAIMER

Neither Hub International Limited nor any of its affiliated companies is a law or accounting firm, and therefore they cannot provide legal or tax advice. The information herein is provided for general information only and is not intended to constitute legal or tax advice as to an organization’s or individual's specific circumstances. It is based on Hub International's understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect and Hub International does not have an obligation to update this information. You should consult an attorney, accountant, or other legal or tax professional regarding the application of the general information provided here to your organization’s specific situation in light of your or your organization’s particular needs.