Health Plans Disclosing Data To State All Payer Data Banks Face HIPAA Risks

Self-insured employer or union sponsored health plans (Plans), their fiduciaries, third party administrative or other service providers, and sponsors should consult legal counsel for advice about whether their Plans might violate the Privacy Rule of the Health Insurance Portability & Accountability Act (HIPAA) by disclosing individually identifiable claims or other Plan records or data to a state “all payer” claims or other data base in response to a state law or regulation mandating those disclosures in light of the Supreme Court’s recent ruling in Gobeille v. Liberty Mutual, 136 S. Ct. 936 (2016).

Gobeille involved a challenge to a Vermont “all payer” law similar to laws enacted by at least 20 other states, that requires health plan payers, their administrators or both to disclose individually identifiable health claims and other claims data about Plan members to a state created all payer data base. The Vermont law challenged in Gobeille required health insurers and other payers to disclose treatment information about Plan members as well as other certain health care claim payment and other data to an all payer claims database, which under the law is made “available as a resource for insurers, employers, providers, purchasers of health care, and State agencies to continuously review health care utilization, expenditures, and performance in Vermont.  See Gobeille at 941.  Vermont’s law requires third party administrators of self-insured Plans and other payers to disclose the information regardless of whether the member resides or received the treatment in Vermont.

In Gobeille, the Supreme Court ruled that the preemption provisions of Section 514 of the Employee Retirement Income Security Act (ERISA) bar Vermont from requiring self-insured ERISA Plans

In addition to excusing self-insured Plans from the trouble and expense of complying with Vermont’s disclosure law, the Supreme Court’s ruling in Gobeille that Vermont cannot enforce the law against self-insured ERISA Plans raises a concern that the Privacy Rules of HIPAA may prohibit Plans from disclosing certain individually identifiable claims information.  The HIPAA compliance concern arises because the  claims information and other data that the Vermont and most other similar laws require Plans and other payers to disclose generally is or include information that qualifies as “protected health information” within the meaning of the HIPAA Privacy Rule. These laws generally are structured either to directly require self-insured Plans to disclose the claims data directly, indirectly compel the disclosure by requiring third party administrators of such Plans to disclose the claims information for Plans they administer, or both.

Under the HIPAA Privacy Rule, Plans and other HIPAA-covered entities and service providers acting as business associates of the Plans are prohibited from using or disclosing individually identifiable protected health information unless the use or disclosure is expressly authorized by the Privacy Rule. Since violations of the Privacy Rule trigger substantial civil or even criminal penalties under HIPAA, Plans, their fiduciaries, service providers acting as business associates and other members of their workforce need to verify that the disclosure meets all of the requirements to fall within an exception to the Privacy Rule’s prohibition against disclosure before allowing such a disclosure

Before Gobeille, many self-insured Plans and their administrators treated the disclosures of individually identifiable claims data of the Plans as permitted as a disclosure “required by law” Privacy § 164.512(a), which provides in relevant part:

  1. a) Standard: Uses and disclosures required by law.

 (1)  A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.

 (2)  A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law.

The Gobeille ruling that that the Vermont law is unenforceable against self-insured Plans appears to eliminate the availability of this exception as a basis for allowing disclosures in response to the Vermont law as well as calls into question the ability of Plans to rely upon the “required by law” exception to the Privacy Rule to justify disclosures of protected health information to state all payer data bases in response to similar requirements enacted in the other 20 states that have enacted similar mandates.  Plans that previously disclose or intend in the future to disclose protected health information to a state all payer data base in Vermont or another state generally will want to carefully document their justification, if any for making that disclosure under the Privacy Rule.

Unless the disclosure otherwise falls within another exception to the HIPAA Privacy Rule against disclosures without authorization, Plans, their sponsors, fiduciaries, third party administrators and other service providers and other members of the Plan workforce at minimum should be concerned that the HIPAA risks of disclosing protected health information in response to these state mandates after Gobeille. Plans that decide not to disclose information otherwise required by such state law requirements in light of the Gobeille ruling or HIPAA concerns may want to consult with qualified legal counsel about the steps, if any, that the Plan might want to take to document its ERISA preemption or other justifications for not providing the otherwise required disclosures.

Beyond evaluating the advisability of future disclosures in response to the Vermont or another similar all payer statute, Plans whose data previously was disclosed by the Plan or its administrator to an all payer data base under the belief that the disclosure was required by law also may want to seek the advice of qualified legal counsel about whether these prior disclosures triggered breach notification responsibilities under the Breach Notification rules of HIPAA with respect to any disclosures previously made. When electronic protected health information is used or disclosed in violation of HIPAA, the Breach Notification Rules of HIPAA generally require Plans and their business associates timely notify impacted individuals and the Department of Health & Human Services Office of Civil Rights (OCR) in accordance with the detailed requirements set forth in OCR’s implementing regulations.  Furthermore, where a breach involves 500 or more individuals, the timetable for providing notification to OCR is accelerated and the Plan also is required to provide notification to the media and others.

About The Author

Cynthia Marcotte Stamer is a noted Texas-based management lawyer and consultant, author, lecturer and policy advocate, recognized for her nearly 30-years of cutting edge management work as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Tax: Erisa & Employee Benefits” and “Health Care” by D Magazine.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, past Chair and current committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, a former  ABA Joint Committee on Employee Benefits Council Representative and , Ms. Stamer helps management manage.

Ms. Stamer’s legal and management consulting work throughout her nearly 30-year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.

Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, expat and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Ms. Stamer also is deeply involved in helping to influence the Affordable Care Act and other health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting and other JCEB agency meetings. She also works as a policy advisor and advocate to many business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA),, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA,, Employee Benefit News, and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer serves on the Advisory Boards of,, Employee Benefit News, and as an editorial advisor and contributing author of many other publications. Her leadership involvements with the American Bar Association (ABA) include year’s serving many years as a Joint Committee on Employee Benefits Council representative; ABA RPTE Section current Practice Management Vice Chair and Substantive Groups & Committees Committee Member,  RPTE Employee Benefits & Other Compensation Committee Past Group Chair and Diversity Award Recipient,  current Defined Contribution Plans Committee Co-Chair, and  past Welfare Benefit Plans Committee Chair Co-Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; International Section Life Sciences Committee Policy Vice Chair; and a speaker, contributing author, comment chair and contributor to numerous Labor, Tax, RPTE, Health Law, TIPS, International and other Section publications, programs and task forces.  Other selected service involvements of note include Vice President of the North Texas Healthcare Compliance Professionals Association; past EO Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former Southwest Benefits Association Board of Directors member, Continuing Education Chair and Treasurer; former Texas Association of Business BACPAC Committee Member, Executive Committee member, Regional Chair and Dallas Chapter Chair; former Society of Human Resources Region 4 Chair and Consultants Forum Board Member and Dallas HR Public Policy Committee Chair; former National Board Member and Dallas Chapter President of Web Network of Benefit Professionals; former Dallas Business League President and others. For additional information about Ms. Stamer, see or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal control and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.  ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc. ™. All other rights reserved.

Comments are closed.

%d bloggers like this: