Steve72

First, I agree with GBurns and QDROPhile. However, I have seen some employers take the position that an employee can elect at the onset of employment, to be a "benefits eligible" or "non-benefits eligible" (with increased compensation) employee. Because there is no annual election to take compensation, there is no constructive receipt, therefore, no cafeteria plan is necessary. it is considered a condition of employment. Do I think this is without risk? No. It runs a little close to what is intended to be covered by the 125 rules for my liking. And, as GBurns points out, the additional compensation would clearly be taxable (although the employer could gross-up the amount). If you choose to take this approach, i would advise getting competent benefits counsel to advise you.

Note that the rule of the McGann case may be altered by the new (at least, newer than McGann) HIPAA nondiscrimination regs. As Don Levitt points out, changes in benefit offerings which would discriminate against an individual based on a health status related factor (e.g., in the McGann case, the change discriminated against an AIDS victim) need to be made prospectively on the plan year in order to avoid HIPAA issues.

I'm going to disagree with GBurns. Although there is definitely a movement away from using the SSN as an identifier, many insurers/TPAs still use it as the default. In fact, it's not uncommon for insurers or TPAs to charge their clients extra for using a different individual identifier. The SSN is not a protected piece of data under HIPAA. It is an identifying characteristic, not PHI. The only HIPAA implication for the SSN is theability of health information to be tied to an individual through the identifying information. However, that does not afford the SSN any greater protection than, for example, the name. There was a proposal to include an "individual identifier" under HIPAA, but it was never finalized. As for the pre-emption issue, the California state law (which I believe is the only one in effect) states explicitly that an employer cannot print the SSN on benefits material. Because this affects benefits administration in that the sponsor may need to have differing procedures for participants in California and other states, I think there is a fairly strong argument that it is pre-empted. I wouldn't want to be the one to test the argument, however.

Good question. I assume this is the California law. It's not clear whether this law is preempted or not (I think it should be.) There's no Federal law that I'm aware of prohibiting the use of the SSN in this manner, but Congress has a few bills in process.

Washington Post Article

GBurns and I had a fairly good discussion on this very issue just recently. Recent Thread I think your client is correct.

The result will be employees "similarly situated" (same job, same Dept, same health, same age same everything) having different costs. Even assuming that this is true, the differing costs will not be based on a health status related factor. In order for a program to violate HIPAA nondiscrimination, the discrimination must be based on one of the itemized factors. I also don't know what you mean by "...its sole purpose is as a basis for cost shifting." Certainly, that is the end result from the employee's perspective, but (as discussed above) the cost shifting is not based on a health status related factor. When I have seen this type of program used, the questionaire has been used to make the employees more aware of their own health, and to encourage wellness and preventative care issues (thereby reducing the eventual benefit costs to the employer). I would be very surprised if this were not the goal...I can't see any other goal that would be served. As a result, even if the program would initially violate HIPAA (I believe it does not), it would meet the requirements of the proposed regulations on bona fide wellness programs.

HIPAA: There is no discrimination because filling out a survey is not a health status factor. This is only the case if the discount is given upon completion of the survey REGARDLESS of the content of the survey. If, for example, the employer gave a discount to employees who answered the survey in a particular way (e.g., no family history of heart disease), then there is a clear violation. However, as structured here, completion of the survey itself is not one of the listed factors. From your link: (ii) Cost-sharing mechanisms and wellness programs. A group health plan or group health insurance coverage with a cost-sharing mechanism (such as a deductible, copayment, or coinsurance) that requires a higher payment from an individual, based on a health factor of that individual or a dependent of that individual, than for a similarly situated individual under the plan (and thus does not apply uniformly to all similarly situated individuals) does not violate the requirements of this paragraph (b)(2) if the payment differential is based on whether an individual has complied with the requirements of a bona fide wellness program. From the DOL's Q&A, available at the link below (emphasis added): http://www.dol.gov/ebsa/FAQs/faq_hipaa_ND.html My group health plan requires me to complete a detailed health history questionnaire and subtracts Health Points for prior or current health conditions. In order to enroll in the plan, an individual must score 70 out of 100 total points. I scored only 50 points and was denied eligibility in the plan. Is this permissible? No. The HIPAA nondiscrimination provisions do not automatically prohibit health care questionnaires. It depends on how the information that is obtained is used. In this case, the plan requires individuals to score a certain number of Health Points that are related to prior or current medical conditions in order to enroll in the plan, which is impermissible discrimination in rules for eligibility based on a health factor. 125(g)(2)(A) and (B) Note the phrasing of the statute. A plan "shall not" be considered discriminatory if... These are safe harbors for passing the discrimination test, not the test itself. The discrimination test itself is found in 125(b). It deals with discrimination in favor of highly comped or key employees. That is not the case here. 1.125-1 Q&A 17 I assume the sentence you are talking about is "In addition, the accident or health plan must provide for the nondiscriminatory reimbursement of expenses on a per capita basis, rather than as a proportion of compensation". This is, again, discrimination based on compensation. Look at the beginning of that paragraph. Eligibility, Benefits and Concentration Again, this is dealing with discrimination in favor of highly comped or key employees. See 125©. ERISA The cite you provided points back to (a)(1), which are the health status factors. As discussed above, whether or not an individual completes a survey is not a health status factor. 105(h)(3)(ii) Under the proposed design, all participants are eligible to participate. The question is the amount of premium. Therefore, 105(h)(3) is not implicated at all. 105(h)(4) is what governs this area. Again, this deals with discrimination in favor of highly compensated individuals. This is not a concern here.

I do not understand why that should make a difference in the 125 area. Certainly, that's why the questionaire passes the HIPAA discrimination test, and smoking is more problematic, but why does that get around the issue you've raised with regard to the 125 test (which I feel is a non-issue)? It's entirely possible I'm missing something fundamental here, but I just do not see the distinction in the issue you've raised.

Well, I would disagree as to whether this plan design has been seen elsewhere. I'm reading the IRC right now. I fail to see how this would be problematic...again, assuming that both highly comped (and key employees) and non-highly comped (and non-key employees) are given, and complete the survey on an equivalent basis. The employee has made a choice between benefits in cash in determining whether to contribute to the plan. The amount of the contribution is not a separate election, IMO. It is a bona-fide wellness program that enables employees to reduce their premium. Assuming there were no HIPAA nondiscrimination issues, would you argue that giving a discount to non-smoking employees would violate 125 because the employee could choose each year to whether or not to smoke?

On-site medical cliincs are not health plans for purposes of HIPAA. However, if they conduct "covered transactions" in an electronic amnner (e.g., billing for services), they may be covered providers, which are subject to HIPAA. This is a very fact-specific analysis, and you probably need more detailed review than it is possible to get on a message board. As for the off-site nutritionist, does the employer (or the plan) directly pay the nutritionist, or is it reimbursement? If it is a reimbursement program, there is an argument that it is not a health plan for HIPAA purposes. However, if the program actually receives claims from the provider, it is most likely subject to HIPAA.

GBurns: Why would it be taxable income? The plan is drafted to permit a lower premium for employees who complete the questionairre. This is not an unusual plan design. There is no income, only a lower fee for the participant. J2D2: Yes, that would clearly pass the HIPAA nondiscrimination tests, as it is not based on health factors. I think what GBurns is referring to is the Section 125 nondiscrimination tests. However, the 125 nondiscrimination tests prevent discrimination in favor of highly compensated participants....not based on health status. Presuming that the questionaire is completed by equivalent numbers of highly comped individuals and non highly comped individuals, this design should not cause the plan to run afoul of the 125 rules.

Wait...If you are only applying a premium rebate for COMPLETEING the questionairre, and not for any of the content therein, then there should be no HIPAA nondiscrimination issues. The questionairre would be part of a wellness program contained within the plan. However, if you are using the questionairre as underwriting, then the discrimination issue would be present.

My answer below is limited to HIPAA issues, since I believe that was what the question was geared towards. There are two issues you've raised, Jeanine. First is whether there is a HIPAA obligation. Second is whether you have met that obligation. If, in your role as a covered entity, you erroneously receive health information about a non-patient (e.g., a file mistakenly sent to the wrong hospital), I think that information is still PHI. It is individually identifiable health information received by a covered entity. However, the obligation created here is to not use or disclose information in a manner inconsistent with HIPAA. Destruction and returning to sender (once you have used appropriate methods to ensure that the sender is the correct party) are not inconsistent with HIPAA. Ironically, the real concern here is the six year maitenance requirement and individual rights. I would argue that those requirements apply to PHI in a designated record set. There is no designated record set here, as the PHI is never "used" other than returning to sender. As far as erasing someone's mind, I believe if you ensure that individuals treat the PHI received erroneously with the same care they treat PHI received in the course of their duties, then you have met your obligation.

Interesting question. PHI is information held by a covered entity about an individual's treatment, medical condition or payment for treatment. An individual is defined in HIPAA as the person who is the subject of the PHI. If the covered entity receives medical information about a non-patient (or non-participant), then I would say you are right, that the covered entity must extend HIPAA protections to the information. However, it's important to point out that the covered entity must receive this information in its role as a covered entity in order for HIPAA to apply. For example, if a hospital receives information about an employee for absence management purposes, then it has received the information as an employer, not as a hospital. This information is not protected by HIPAA.

By "health care providers" I assume you mean sponsors of health plans ("Health care providers" is a defined term under HIPAA which includes doctors, hospitals, etc.) HIPAA contains a specific requirement for a notice of privacy practices (NOPP). This is a separate requirement from the SPD. Because the disclosure requirements are not identical, I generally advise that the NOPP be provided separately from the SPD. Note that some have taken the position that the HIPAA amendment requires a summary of material modifications, in addition to the NOPP. I do not believe this is correct.

I agree. There is no HIPAA violation here. HIPAA does not apply to absence management information. However, some state courts (notably New Jersey) have used HIPAA as the standard for common-law privacy issues. Certainly this practice should be avoided. Also, just as a side note, the Federal Department of Labor does not enforce HIPAA privacy rights. The Department of Health and Human Services does. The DOL would only have the ability to get involved if the HIPAA violation also constituted a failure to follow the terms of the plan document (i.e., the HIPAA amendment). Even then, I believe they would defer the investigation to HHS.

Well, they're correct that the document must be amended. HIPAA is very clear on that. However, ERISA permits documents to be amended without restating the entire plan. There is no argument that I'm aware of that would require the document to be re-published. An amendment adopted in accordance with the procedures established by the plan document itself is sufficient (and necessary).

You are right, an amendment is sufficient. THere's no need to restate the entire plan. Maybe they're talking about a business associate agreement? Did you execute one with the TPA?

I've used both the routes suggested above. The DOL brochure is very good, but is (for good reason) primarily concerned with Federal issues. I was hoping to short-cut my research with a site or resource that references the appropriate sections of each states insurance code. I've seen similar sites for (for example) state mini-COBRA laws and health privacy, and was hoping someone had run across one for MEWAs.

Is anyone aware of a source that provides a state-by-state summary of MEWA regulation? Thanks in advance.

If the MERP is a "plan" under HIPAA, then it will need to comply with HIPAA. However, informal HHS statements have indicated that, if the program is for reimbursement of expenses only, it will not be a covered plan. Instead, it is an employer function (employers are not covered entities under HIPAA). If, however, the plan makes direct payment to providers, it will need to comply with HIPAA. It sounds like this would be an employer function. However, remember that these are informal statements. There are a lot of areas under HIPAA that need clarification...particularly in the employee benefit plan area.

A couple comments: (1) HHS (health and human services), not the DOL, would pursue action under HIPAA (if any). This is not necessarily an employee benefit plan issue. As stated above, providers have their own separate obligations under HIPAA. (2) The question posed indicated that the physician had, essentially, admitted that the use of the individual information was inappropriate for the joint session. It can be inferred that the use was not for treatment. Providers do not have free reign to utilize PHI. (3) The "general release" to which GBurns refers would not expand the right of the provider to utilize the information beyond that permitted by HIPAA, unless it constituted a HIPAA compliant authorization. I highly doubt that jsmiddleton was forced to sign a blanket authorization prior to treatment. (4) This: I would have thought that in a joint session all items and info applicable to both individuals are open for discussion. Anything from your individual session is your info and there open for the joint session is essentially the question jsmiddleton is asking. I do not think the quoted statement is necessarily true, especially given the counselor's admission that the disclosure was inappropriate.

Health Care Providers under HIPAA are covered entites separate from the health plan. They have their own obligations completely outside those of the health plan. It is not necessarily true that any provider covered by your health insurance is a HIPAA covered Health Care Provider, nor that policies that govern your health plan govern the provider.

Good question, and I don't think there is a hard-and-fast answer. You state that this individual is a "marriage counselor". It is unclear whether he or she is providing "health care". Health care includes counseling services with respect to an individual's mental condition. However, if this individual's services are related solely to the relationship, and not to you as an individual, they may not be covered. Does the counselor consider him (or her)self covered? I.e., did you receive a privacy notice before treatment started? If the individual IS covered, then the question is whether the disclosure is permissible. PHI can always be disclosed for treatment purposes. However, it appears from your post that the disclosure was (by the counselor's own admission) not appropriate for treatment. Additionally, as discussed above, it's not clear that the jopint session would qualify as health care treatment. Therefore, if the counselor is covered, I think there is a decent argument that this was a disclosure in violation of HIPAA.