Group health plans that provide health benefits only through an insurance contract and do not create, maintain or receive PHI do not have to meet the notice requirements or the administrative requirements. These requirements will be satisfied by the insurer or HMO that is providing benefits under the group health plan. For those groups, Blue Cross Blue Shield of Michigan (BCBSM) and Blue Care Network (BCN) will comply with HIPAA's administrative requirements, including preparation and distribution of required privacy notices for the group.
The relation between BCBS/BCN and an underwritten group is as follows:
| Relationship |
Area/Industry |
Experience (BCBSM only) |
|---|---|---|
| Covered Entity Status |
BCBSM/BCN is the covered entity |
BCBSM is the covered entity |
| Business Associate Status |
None |
None |
| Notice of Privacy Practices |
|
BCBSM sends its Notice to members |
| Disclosure of protected health information (PHI) to the group |
|
Enrollment data and Summary Health Information may be shared with these groups. If the group wants PHI from BCBSM, their plan documents must be amended to incorporate HIPAA safeguards and they must sign and return the Plan Sponsor Certification. |
If you are uncertain how the HIPAA privacy rule applies to a fully insured group health plan, please read the privacy rule and seek legal counsel as necessary. The rule can be accessed at www.hhs.gov/ocr/hipaa.