Sample Draft Plan Sponsor Certification
CAUTION: This Sample Draft Plan Sponsor Certification is intended only to provide general
guidance on the content of the plan sponsor certification required under the Privacy Rules. This
sample draft does not constitute, and should not be taken as a substitute for, legal counsel.
Health plans have a wide variety of plan designs, features, and administration arrangements and,
accordingly, have a wide variety of uses and disclosures of health information. This Sample Draft
Plan Sponsor Certification was prepared with a hypothetical health plan in mind, and may not be
appropriate for use with any particular health plan. Any certification used in connection with a
health plan should be carefully customized to reflect that health plan’s business practices and
operations. In addition, individual states may impose additional limitations on use and disclosure
of health information, or may impose different certification requirements. Accordingly, the
applicability of state law privacy requirements should be taken into account when preparing plan
sponsor certification in connection with a health plan. Legal counsel should review any plan
sponsor certification prior to use to assure that it complies with applicable laws and is suitable to
the plan for which it is intended to be used.
Certification of [Name of Employer]
Plan Sponsor of [Name of Plan]
Definitions: In this Certification, the following underscored terms, when appearing herein with
an initial capital, will have the meanings indicated for them in this Definitions Section.
“Disclosed PHI” means PHI maintained by the Plan Sponsor, to the extent that such PHI
is or has been disclosed to the Plan Sponsor by the Plan (or by an Insurer, if the Plan
provides for or permits such disclosure to the Plan Sponsor), except that it does not
include PHI released to the Plan Sponsor pursuant to written authorization of the
individual that is the subject of the PHI given in accordance with and meeting the
requirements of §164.508 of the Privacy Rules.
“Effective Date” means [April 14, 2003 or 2004].1
“Enrollment Information” means information described in §164.504(f)(1)(iii) of the
“Excepted Benefits” means any one or more of the following:
(a) Coverage for accident, disability income insurance, or any combination thereof.
(b) Coverage issued as a supplement to liability insurance.
(c) Liability insurance, including general liability insurance and automobile liability
(d) Worker's compensation or similar insurance.
(e) Automobile medical payment insurance.
(f) Credit-only insurance.
(g) Coverage for on-site medical clinics.
Use the 2003 effective date unless the plan qualifies as a small health plan (one with $5 million or less in annual
receipts). For small plans use the 2004 date.
(h) Other similar insurance coverage, specified in regulations, under which benefits
for medical care are secondary or incidental to other insurance benefits.
“Insurer” means either or both of:
(a) An insurance company, insurance service, or insurance organization that is
licensed to engage in the business of insurance in a state, is subject to state laws
that regulate insurance, and is providing coverage under the Plan.
(b) A federally-qualified health maintenance organization, an organization
recognized as a health maintenance organization under applicable state law, or a
similar organization regulated for solvency under applicable state law in the same
manner and to the same extent as a health maintenance organization, that is
providing coverage under the Plan.
“Medical Care” means the diagnosis, cure, mitigation, treatment, or prevention of
disease; services and supplies applied for the purpose of affecting any structure or
function of the body; transportation primarily for and essential to obtaining any of the
foregoing; and insurance covering any of the foregoing.
“PHI” means protected health information, as defined in §164.501 of the Privacy Rules;
provided, however, that neither Summary Health Information nor Enrollment Information
shall constitute PHI.2
“Plan” means [Name of Plan] insofar as it provides or pays the cost of Medical Care
and does not provide or pay the cost of Excepted Benefits.3
“Plan Sponsor” means [Name of Employer].
“Privacy Rules” means the Standards for Privacy of Individually Identifiable Health
Information promulgated by the Department of Health and Human Services (“HHS”)
pursuant to the Health Insurance Portability and Accountability Act of 1996, and found
at 45 CFR part 160 and part 164, subparts A and E.
“Secretary” means the Secretary of the Department of Health and Human Services or
The Plan Sponsor can receive two types of PHI without amending the Plan documents or obtaining the employer
certification. Those types of PHI do not need to be subject to theses provisions. First, the Plan or an Insurer
under the Plan, may provide summary health information to the Plan Sponsor for the purpose of obtaining
premium bids for providing health insurance coverage under the Plan, or for the purpose of modifying, amending,
or terminating the Plan. The Plan, or an Insurer under the Plan, also may provide to the Plan Sponsor information
on whether an individual participating in the group health plan, or is enrolled in, or has disenrolled from, an
Insurer's program offered by the Plan.
This provision defines the Plan for purposes of these provisions as being only the health benefits portion of a
plan that includes non-health benefits. The Privacy Rules prohibit use or disclosure of PHI obtained from a health
program in connection with any other benefits, even if included in the same plan document as the health program,
without express authorization from the individual that is the subject of the PHI.
“Summary Health Information” means summary health information as defined in
§164.504(a) of the Privacy Rules to the extent disclosed to the Plan Sponsor in
accordance with §164.504(f)(1)(ii) of the Privacy Rules.
Plan Sponsor hereby certifies that, from and after the Effective Date, the documents setting out
the terms of the Plan incorporate the following provisions and that the Plan Sponsor agrees to:
(c) Refrain from using or further disclosing the Disclosed PHI other than as permitted
or required by the documents setting out the terms of the Plan or as required by
(d) Ensure that any of the Plan Sponsor’s agents, including a subcontractor, to
whom the Plan Sponsor provides Disclosed PHI, agree to the same restrictions
and conditions that apply to the Plan Sponsor with respect to such Disclosed
(e) Refrain from using or disclosing the Disclosed PHI for employment-related
actions and decisions or in connection with any other benefit or employee benefit
plan of the Plan Sponsor.
(f) Report to the Plan any use or disclosure of the Disclosed PHI of which the Plan
Sponsor becomes aware that is inconsistent with the uses or disclosures
provided for in the documents setting out the terms of the Plan.
(g) Make the Disclosed PHI available in accordance with §164.524.
(h) Make the Disclosed PHI available for amendment and incorporate any
amendments to protected health information in accordance with §164.526.
(i) Make available, in accordance with §164.528 of the Privacy Rules, the
information required to provide an accounting of disclosures of the Disclosed PHI
made by the Plan Sponsor, its agents or subcontractors.
(j) Make its internal practices, books, and records relating to the use and disclosure
of the Disclosed PHI available to the Secretary for purposes of determining
compliance by the Plan with the Privacy Rules.
(k) If feasible, return to the Plan, or destroy, all Disclosed PHI maintained by the
Plan Sponsor in any form, and retain no copies, when such Disclosed PHI is no
longer needed for the purpose for which disclosure was made, except that, if
such return or destruction is not feasible, the Plan Sponsor shall instead, with
respect to Disclosed PHI as to which return or destruction is infeasible, limit
further uses and disclosures by the Plan Sponsor, its agents and subcontractors
to those purposes that make the return or destruction of the Disclosed PHI
(l) Ensure that the adequate separation required in §164.504(f)(2)(iii) is established
with respect to the Plan.
IN WITNESS WHEREOF, the undersigned, being an authorized representative of the Plan
Sponsor signs this Certification this _____ day of , 200__.