HBRs and Protected Health Information The North Carolina State Health Plan (Plan) is committed to safeguarding Protected Health Information (PHI) and providing quality services to all our members. We would like to remind every employing unit that when information regarding Plan members received from the Plan or its vendors is stored, accessed, or transmitted by the employing unit and its employees (including the Health Benefit Representative), that information is subject to the protections and regulations of HIPAA. The HIPAA Privacy Rule is a federal regulation issued by the U.S. Department of Health and Human Services (HHS) which governs the use and disclosure of PHI in health care treatment, payment, and operations by Covered Entities and their partners. Group health plans like the Plan are considered Covered Entities and are subject to the requirements of HIPAA and the Privacy Rule. Anyone with whom the Plan shares information in the course of business is also required to protect that information. The Privacy Rule protects all individually identifiable health information held or transmitted by a Covered Entity, in any form or media, whether electronic, paper, or oral. Individually identifiable health information is information that (1) identifies an individual person, and (2) relates to: an individual’s past, present, or future physical or mental health or condition; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. When the Plan and its vendors, such as Benefitfocus and iTEDIUM, transmit data containing an employee’s eligibility, premiums, or other individually identifiable information to an employing unit or HBR (i.e., on daily, weekly or monthly data files or via a secure portal), that data is considered PHI, and must be protected by the employing unit according to the requirements of HIPAA. Consult your legal department, as well as your IT security, to ensure you have the necessary processes, security, and controls in place to adequately protect any such information received from the Plan or its vendors regarding Plan members that you store, access, or transmit.