In recent years, as receipts from escheated property have continued to swell state coffers, unclaimed property administrators have become increasingly aggressive in enforcing compliance through unclaimed property audits. We’ve recently had several occasions to assist clients operating in the broadly defined health care space in responding to state-initiated unclaimed property audits. Such audits offer interesting challenges in weighing the conflicting obligations of covered entities and business associates as they balance their legal obligation to respond to a properly issued subpoena with their duty to protect personally identifiable and protected health information. Holders of potentially reportable unclaimed property in the health care space must keep in mind their obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) while responding to state-initiated audits.
Under HIPAA, covered entities (health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form) and business associates (organizations or individuals that provide services to a covered entity which involve the use of protected health information (PHI)) are limited in their ability to use and disclose PHI. Accordingly, certain requirements must be met before PHI is disclosed to a government agency (or its agent/contractor) in response to a state-initiated audit.
PHI is broadly defined under 45 C.F.R. § 160.103 as patient information that is created or received by a health care provider, which relates to the past, present, or future physical or mental health or condition of an individual or the provision of health care to an individual, and either identifies the individual or provides a reasonable basis for belief that the information can be used to identify the individual. PHI includes, but is not limited to, patient names, dates of services, addresses, account numbers, and dates of birth. In many instances, state unclaimed property auditors request information including certain PHI to determine whether certain types of property held by a business – such as refunds, deposits, overpayments, and credit balances – constitute unclaimed property subject to escheat. When an escheat auditor requests information, covered entities and business associates should first determine whether the information requested constitutes or contains PHI. If so, next steps depend on whether the holder is a covered entity or a business associate under HIPAA.
If the holder is a covered entity, it should first determine whether the requested information can be deidentified pursuant to 45 C.F.R. § 164.514(b)(2)(i) by removing names, geographic subdivisions smaller than a state, all elements of dates (except year) for dates directly related to an individual, telephone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers (including license plate numbers), device identifiers and serial numbers, web universal resource locators (URLs), IP address numbers, biometric identifiers, and full-face photographic images and comparable images associated with the patient and/or the patient’s relatives, employers, or household members. Before delivering any requested information to the auditors, the covered entity should deidentify the information and ensure that it does not have actual knowledge that the deidentified information can be used alone or in combination with other information to identify the individual who is the subject of the information. If the requested information cannot be deidentified, the covered entity should review HIPAA and consult with legal counsel to determine whether the information can be provided without a patient authorization. Legal counsel can also assist in determining whether the state in which the covered entity operates has more stringent data protections for PHI or other personally identifiable information, and whether any requested information could be shared through a state-recognized all-payor claims database.
If the holder is a business associate, it should first review its business associate agreement to determine the appropriate next steps. These steps, depending on the terms of the agreement, may include notifying the covered entity of the audit, determining whether the information can be deidentified, and/or reviewing HIPAA to determine whether the requested information can be provided without patient authorization.
Legal counsel can assist in determining the respective rights and obligations of covered entities and business associates with respect to unclaimed property audit requests, and in navigating the audit response process in accordance with applicable federal and state law.