HIPAA - Disclosure from GHP to employer re dependant's eligibility

[Guest crs]

An employee is knowingly claiming a dependent that isn't eligible for coverage under our self-insured GHP. Can the plan share this info. with the plan sponsor (i.e., the employer)? I can't find an exception in the privacy regs. (fraud?) but think there certainly should be one. Any thoughts? Thanks in advance.

[leevena]

I am not 100% confident, but you should be able to share this info. The privacy regs were developed to provide persons with privacy for their personal information. Furthermore, the information can be used by others for the completion of their jobs, i.e., staff person enrolling someone, or a claims person paying a claim. Since part of your/someone's job is to verify eligibility, then this should be ok. If it is not, this would be very disturbing.

Good Luck.

[Guest crs]

Thanks for your response. I greatly appreciate the insight. Any idea what exception it would fit under the privacy regs?

[leevena]

Sorry, I don't. I do not know the law in detail.

[GBurns]

Why would the GHP need to inform the employer anyhow? What action could the employer takes as employer or as plan sponsor?

If the GHP denies coverage and properly notifies the employee that should be the end of that. Unless the employee subsequently knowingly tries to submit claims there should be no further problem that I can see. And if the employee does so then I would think that fraud or other action could be threatened.

[leevena]

GBurns...unless I am mistaken, it sounds like the employee, and ineligible dependent, are already enrolled in the plan. If that is the situation, wouldn't the employer need to know that information for administrative issues? And, since the plan is self-funded, it sounds like fraud was being done to the employer? The employer is spending some dollars on this ineligible enrollee. Can you explain why the employer would not be informed?

[Guest crs]

The employer is obviously concerned that it has a dishonest person working for them since it is likely based on the situation that the employee wasn't honest when signing up the ineligible dependents for coverage.

[Mary C]

We view our enrollment form as a company document and record. If an employee knowingly enrolls an ineligible person or knowingly mistates a relationship to make someone eligible, we view that as falsification of company records subject to displinary action up and including termination of employment. Yes, the employing company absolutely needs to know, particularly if they are taking deductions for the coverage and will need to adjust the amount taken due to the deletion of the ineligible person.

[Guest Steve72(b)]

This is a tough spot. Clearly, the plan can force disenrollment of the non-existent dependent. Whether the employer can take any employment action based on the decsption will depend on the manner in which it was discovered. Remember that enrollment and disenrollment information is unique in that it is held by both the plan and the sponsor (for example, for payroll deduction purposes).

[Guest crs]

It was discovered by another employee who essentially informed the benefits dept that the employee was carrying an ineligible dependent. I agree that the plan can terminate coverage for the ineligible dependent, but can the employer, serving in its role as employer (not plan sponsor), take any action?

[Guest Steve72(b)]

It was discovered by another employee who essentially informed the benefits dept that the employee was carrying an ineligible dependent. I agree that the plan can terminate coverage for the ineligible dependent, but can the employer, serving in its role as employer (not plan sponsor), take any action?

That's going to be a risk/reward determination you need to make.

Based upon what you've stated, I think there is a fairly strong argument that the information was received by the employer ("benefits department" employees operate with dual roles...sometimes as plan workforce, sometimes as employees of the employer). If the information was received by the individual in his or her role as an employee of the employer, employment action can be taken.

Not very specific, I know, but unfortunately it's a question that requires that kind of wishy-washy answer.

[GBurns]

leevena

The employer is not the plan. The employer provides a payroll accomodation to the plan by making the payroll deductions. Payroll deductions are not made for the employer's purposes but for the health plan's purposes. I doubt that the employer provides any administrative duties for the plan. Administrative duties are usually performed by outside vendors such as a Claims Adminstrator. The Claims Administrator also usually handles eligibility and coverage issues. Since it is the CA handling eligibility and coverage issues it should be the CA who denies coverage and payment of claims.

What the employer needs to know is how much to deduct each pay period. Knowing the why beyond what is on an enrollment form is not an employer function, it is a plan operation function subject to being PHI.

I doubt that the employer as employer can make any plan operation decisions even if the plan is self-administered, which is very doubtful. The Plan Sponsor can. Notice the HIPAA requirement for a privacy officer etc if there is employer involvement beyond basic enrollment etc. To me this more than points out that there is a big difference between employer and plan sponsor. I even think that this employee might be able to raise privacy issues because of how the issue was discovered. Was this other reporting employee eligible to be privy to PHI if it was discovered from seeing PHI?

As crs points out the employer might be concerned about having a dishonest employee. But that is not a health plan issue and I would advise against making employment decisions based on health plan issues without seeking legal counsel.

[Guest Steve72(b)]

leevena

The employer is not the plan. The employer provides a payroll accomodation to the plan by making the payroll deductions. Payroll deductions are not made for the employer's purposes but for the health plan's purposes. I doubt that the employer provides any administrative duties for the plan. Administrative duties are usually performed by outside vendors such as a Claims Adminstrator. The Claims Administrator also usually handles eligibility and coverage issues. Since it is the CA handling eligibility and coverage issues it should be the CA who denies coverage and payment of claims.

Payroll deductions are made for both the employer and the plan. Enrollment and eligibility information may be held by both employer and plan.

What the employer needs to know is how much to deduct each pay period. Knowing the why beyond what is on an enrollment form is not an employer function, it is a plan operation function subject to being PHI.

This is putting the cart before the horse. Information cannot be PHI if it is not received by the plan. The nature of the information is immaterial if it is held by the employer.

As crs points out the employer might be concerned about having a dishonest employee. But that is not a health plan issue and I would advise against making employment decisions based on health plan issues without seeking legal counsel.

I agree with this. If the information was received by the HR employee in his or her role as plan administration, then taking employment actions based on that information would be problematic from both a HIPAA and ERISA perspective. However, if the individual received that information as the employer (or plan sponsor, if you will...for HIPAA purposes the two are interchangeable), then the information never becomes PHI, and is never subject to HIPAA limitations.

[GBurns]

I am referring to payroll deductions (section 125 salary reductions) that are done for the purpose of paying the employee share of the health coverage cost.

Payroll deductions are deducted as Payables (FICA Payable, Union Dues Payable, Health Insurance Payable etc) for remittance to the selected entity. Payroll deductions are made on behalf of the employee payable to the entity named by the employee. Deductions are not made for employers, unless it is for money owed to that employer, a very rare situation.

Enrollment information is held by the employer and the eligibility information provided by the enrolling employee would be in that enrollment information, but that is as far as it goes for the employer. Accepting the enrollment information is done by the Plan and the Plan Administrator not the employer (as employer). Interpreting plan provisions (whether for coverage or for claims) is not an employer (as employer) function.

Individually identifiable claims information etc is PHI. The rest of "Information cannot be PHI if it is not received by the plan. The nature of the information is immaterial if it is held by the employer." I do not understand. This issue arose only because information other than what is on the enrollment form was relayed to the employer as an employer. This information was derived from claims made. Detailed or individually identifiable claims and health info is PHI.

[leevena]

GBurns...let me see if I have this straight.

An employer makes available a health plan to their employees. The employer is also paying for some portion of that plan. A dishonest employee enrolls an ineligible dependent in the plan, which costs the employer money. Is this not stealing or fraud? And your recommendation is to do nothing.

What would stop any employee from lying/stealing/committing fraud in any employer sponsored program?

I'am sorry, but I do not agree with you on this.

[Guest Steve72(b)]

Individually identifiable claims information etc is PHI. The rest of "Information cannot be PHI if it is not received by the plan. The nature of the information is immaterial if it is held by the employer." I do not understand. This issue arose only because information other than what is on the enrollment form was relayed to the employer as an employer. This information was derived from claims made. Detailed or individually identifiable claims and health info is PHI.

GBurns:

Technically, this is not true. Individually identifiable claims information is PHI if it is held by the plan. If detailed claim information is released (for example, by the individual telling co-workers about his or her hospital visit), it does not become subject to HIPAA merely because of the nature of the information.

Here, there is information which both the employer and the plan require. The information is given to an individual who serves a dual role: Plan workforce and employee of the employer. This individual processes enrollment and disenrollment information under both responsibilities.

The original poster did not state the specific information given, the nature of the person who provided the information, nor the purpose for which it was given. If it was, for example, a co-worker who went to HR to report a fraud, then I think a clear case could be made that this information was received in an employer function, and never got inside the HIPAA firewall. This is even true if the reporting individual desciribed a specific claim in the report, e.g.: "John's ineligible nephew received an appendectomy last week and John filed a claim under our plan." Although this information would be PHI if received or held by the plan, the nature in which it was received makes it at the very least ambiguous as to whether it was a report made to the plan or the employer.

As I stated above, it is difficult to give a 100% certain answer, and I agree that counsel should be consulted....but it is entirely possible that this matter can be dealt with without implicating HIPAA.

[GBurns]

leevena

Let me try agin, but first I will start with a fully insured plan in which the employer pays 80% and the employee 20% of the premium (health plan cost).

The fraud would be committed against the insurance company not the employer and not the employer's health plan or plan sponsor. Prosecution would be at the discretion of the insurance company not the employer and not the employer's health plan or plan sponsor.

Now consider a self-insured plan. The only difference is that there is no insurance company insuring the benefits (the covered services). Everything else is the same, is it not?

The employer is still the employer and the plan sponsor but is still not the health plan. There are employer duties, there are plan sponsor duties. These are separate entities. Then there are the adjudication etc duties, those are now performed by the TPA (Claims Administartor) and still not by either the employer or the plan sponsor.

The fraud is committed against the entity that pays the claims, since it is a false claim whether it be for coverage (ineligible individual) or services rendered. The entity that pays the claims is not the employer but the health plan.

[leevena]

Sorry, but I still do not agree. In your scenario, the employee can steal/commit fraud and get away with it. Do you really believe that this can be done? There is no way for the employer to disenrol the ineligible person?

[jsb]

Reckon I'm with leevana on this one. While there certainly is fraud against whoever is accepting the risk and paying claims, there is payment by the employer for the dependent coverage which is clearly being misappropriated by the false (fraudulent?) representations of the employee. But is it fraud, or confusion, or poor communication, or ????

Now, whether or not it will rise to the level of a firing offense or not in your company is a subject for YOUR attorney in the context of YOUR policies and YOUR past practices. In my organization, it might be a discipline issue, but if we fired you for it we'd probably be reinstating you a couple of years later with full pay after your union got done with all of the appeals. It would be a high risk, low reward scenario with little or no deterrent value. However, if we could identify a clear body of on-point case law from our own Circuit, it would be worth the risk.

Whether or not the insurance company could (or would) come after you is another story altogether that would likely hinge on the dollar value of their loss. I might encourage them to do so, but that will be up to THEIR attorney, etc...