Steve72

Aggressive interpretation follows: Note that there are two tests under 105(h): Eligibility and benefits. A strict reading of the regs seems to indicate that only the benefits test is applicable to retirees (meaning that you just need to ensure that the same benefits are available to all retired participants, and technically, you could discriminate on the basis of eligibility.

I agree with b2kates. I don't have the regs in front of me, but I also believe there is an age limit (i.e., you couldn't provide a date of birth that indicated the individual was over 89...or something). I could be mistaken, however.

Hasn't this already been argued? (EDIT: Yes, it has. HERE.) Don, no insurance company is going to sell an illegal product, regardless of whether the plan sponsor would be free to offer it.

Haffenhreffer (AKA "Green Lightning") is still very much available.

Really? I aways filed it as a polecat.

23: The drink in his hand is a White Russian.

If they were highly compensated individuals, you likely have an issue with 105(h) discrimination.

I wonder why you found it necessary to respond to my omission but not to that of oriecat. Fair is fair. This seems a bit petty (if it's not meant humorously). If you took offense, I apologize. ..."However", my response would be that the "however" line of discussion was initiated as an argument against my interpretation of the law. As a counter argument, I thought it sufficient to show why your argument was incorrect. None of the "howevers" in your quoted passages state or even imply that non-covered entities can be governed by HIPAA.

Now you're omitting important words. Here's the sentence with my emphasis: These health plans are still required, however, to refrain from intimidating or retaliatory acts (45 CFR 164.530(g)), and from requiring an individual to waive their privacy rights (45 CFR 164.530(h)). We are not talking about a health plan. We are talking about the employer. For purposes of HIPAA, they are very different entities.

You omitted noticing the word "However" which would act as a qualifier and affect non covered entities. I honestly don't understand what you mean by this. The inclusion of "however" does not change the statement that HIPAA does not affect non-covered entities. I guess that we might have to wait until someone spends the time and cites a case or instance that has the same or near facts and circumstances. The only HIPAA case of which I am aware is a criminal conviction for stealing health information. However, any case which held an employer liable under HIPAA under these facts would be absolutely and completely out of line with the plain language of the regulations..

First, when an employee uses the term HIPAA, it usually is used as a "catch all" for all Privacy rules, State Federal and anything else. I do not expect accuracy from an employee who probably uses the term 1 time per year. So although the OP did state HIPAA, I took that as a "catch all" not as an exact term and did not get hung up on HIPAA. There is still State law etc. ...Which is why I was careful to limit my response to HIPAA and provide a link to a resource on state privacy rules. State regulation varies wildly. It is not possible to answer yes or no to a question like this regarding state issues without knowing the state. Second, I still do not see how the employer can get around HIPAA. Note the references in the below (and many other) Q&A and use of such phrases as "the Privacy Rule does control the conditions under which the group health plan can share protected health information with the employer""will not be used for employment-related actions"refrain from intimidating or retaliatory acts (45 CFR 164.530(g)), and from requiring an individual to waive their privacy rights (45 CFR 164.530(h))". There are many other Q&As that seem applicable and probably more on point including 29, 97 and others. I'm not going to re-quote the majority of your quotes, but this sentence is the most important one: Neither employers nor other group health plan sponsors are defined as covered entities under HIPAA. There is no health plan involved here. The employer does not have a covered entity involved in the exchange of information. As far as HIPAA is concerned, once the information leaves the doctor's office, it is free and clear. The remainder of the Q&As are completely inapplicable. The plan is not sharing information with the employer. The doctor is. The information that this employer wants is detailed PHI and it will not be used for the administration of any sort of health plan. It will be used for employment related purposes and refusal to give it would garner a retaliatory action. Even if there is no refusal and no immediate retaliatory action by the employer, the PHI is still going to be used towards eventual disciplinary action and which is still employment related and not health plan related. On top of all this such detailed information is not necessary to administer the sick day program and so the detailed PHI serves absolutely no purpose. First, once it is released from the doctor (either to the employer or the employee), it is no longer PHI, regardless of the information it contains. It is IIHI. PHI is defined as is IIHI held by a covered entity. Neither the employer nor the employee are covered entities. This fact eliminates the remainder of your argument. If the information is not used for health plan administration, it never, ever becomes PHI when held by the employer (or any of its non-health plans). HIPAA is completely inapplicable to this question.

The information contained doesn't affect the answer. The entity requesting the information is not a covered entity, and has no HIPAA restrictions on the use of medical information. As pointed out above, there may be state restrictions (BTW, excellent state health privacy resource HERE), but HIPAA only applies to covered entities. Unless this information is being used for health plan administration (which does not include STD, LTD, leave of absence, etc.), the only HIPAA concern is held by the doctor. If the employer states that the employee must provide the information or face discipline or discharge, the manner in which the employee gets the information is between the employee and the doctor (either by authorization for the information to be provided directly to the employer, or by the employee walking in and exercizing his or her HIPAA right to review the relevant designated record set, then bringing it to the employer.) In either case, the employer is unconcerned with HIPAA at any level.

"IRS Interpretation applues protected vesting percentage to future accruals. The IRS interprets this rule to mean the vesting percentage at the time of the amendment must not be reduced, EVEN WITH RESPECT TO BENEFITS ACCRUED AFTER THE AMENDMENT (emphasis added by Sal via underlining). Maybe I'm missing something, but it seems to me that the vesting schedule for monies accrued after the amendment is actually increased. I don't think this passage would prevent the separate vesting schedules.

First, Kirk, I appreciate your condolences. It's gotten even worse since HIPAA Security came out. I went to law school precisely because computers break when I touch them. If the employer is subject to the rigors of HIPAA with respect to the PHI it receives regarding the employee relating to its health plan, it seems anomalous that it could get the exact same information regarding the person and his or her medical condition in the context of it absence management functions without triggering the panoply of protections for the employee under HIPAA. It is anomalous. HIPAA is somewhat awkwardly written, in part because of the limited scope of authority HHS was given in drafting and in part (in my opinion) because the drafters of the regs did not have an adequate understanding of the ERISA universe they were suddenly thrust into. HIPAA only governs certain types of entities, called (appropriately enough) "covered entities". Covered entities are limited to health care providers (doctors offices and hospitals that conduct certain transmissions electronically), health care clearinghouses (third party health information "repackagers"), and health plans (insurance companies and employer sponsored "group health plans"). Note that ERISA plans and the insurance companies themselves are lumped into a single term. This frequently makes for awkward regulations, as rules that were drafted for one apply equally to the other. Of ERISA plans (and other employer benefits), only those plans which are considered "group health plans" are covered entities. Generally, these are plans which provide benefits as described in the PHSA. This includes health plans and EAPs, but does not include disability plans or absence management plans, because such plans provide income replacement or similar benefits...not medical care. For purposes of HIPAA, employees of an employer who receive information from a group health plan are deemed to be part of the "workforce" of the plan , not the employer. This is necessary so that those employees can even be considered subject to HIPAA. It is entirely possible that an individual will be considered to work both for the plan and for the employer. When he or she receives information as part of his or her "plan" role, that information may only be used for plan functions. The same is not true if he or she receives information as an employee of the employer. The firewall only works one way. This sets up exactly the problem you have outlined. If an individual receives information from the health plan, it is subject to HIPAA's rigorous rules. If that same individual receives information in their role as an employer, it is not. Some states have ruled that standards analogous to HIPAA will be used for common law invasion of privacy suits, but that's developing law. In a nutshell, the reason the situation in your paragraph does not make sense is because (although practically it is correct), legally the situation is misstated. The employer is never subject to the rigors of HIPAA. The plan is. The employer shares its employees with the plan, but is not itself subject to the rules. (Sidenote...HIPAA requires plan documents to be amended to incorporate HIPAA standards. In this way, a plan which violates HIPAA may also cause the employer to violate the terms of the plan document. This, however, is an ERISA violation...not a HIPAA violation.) I'm not questioning your assertion the STD plans are subject to HIPAA because I don't have a clue as to what is the right issue (and I'm not willing to spend the time researching a theoretical point). I'm just pointing out that the result seems hard to justify from a policy perspective. I agree wholeheartedly. The U.S. system of privacy is patchwork at best. Privacy rules are based on the information holder. In the EU, by contrast, the privacy rules are based on information, regardless of where it is held. That system, IMHO, makes much more sense. The results are, as a matter of policy, not only incongruous, but flat-out silly. As far as the HIPAA/ERISA interaction goes, however, silly is par for the course.

Under HIPAA, the employer can absolutely force the employee to provide this information. Absence management is an employer function, not a plan function. Even if it were a plan function (of the STD plan), STD plans are not covered entities under HIPAA. HIPAA does not provide any impediment to this action. The demployer can tell the employee to provide this information or face disciplinary action. It is up to the employee and the doctor how the information is disclosed (the doctor will likely require the employee to execute an authorization), but that is immaterial from the employer's perspective.