Steve72

Well, remember that it's not enough for the provider to transmit health information electronically, they must do so in connection with a covered transaction. Does this employee perform any transactions that would be covered under the EDI rules? i,e., does she perform any of the following transactions electronically: Claims, health care payment or remittance advice, coordination of benefits, health care claim status, enrollment/disenrollment in or eligibility for a health plan, health plan premium payments, referral certification and authorization, first report of injury or health claims attachments?

The definition of "Health Plan" in HIPAA is broader than the ERISA definition. If a pension plan "provides, or pays the cost of, medical care", it may very well be subject to HIPAA.

I don't think that the covered entity needs to identify the business associates. The only complication I see is with regard to individual rights under HIPAA. Will participants be able to contact the BA directly to review their PHI, or will the employer act as intermediary? I think either way is acceptable.

I do want to clarify, however, that information which is beyond the minimal amounts contained in the EOB (e.g., detailed claim information) about adult dependents should not be available to the named insured, unless specifically authorized by the dependent. If that type of information is available on the website (for example, information of pending claims), only the individual to whom it pertains should have access.

I also agree that payment information can be released to the named insured without authorization.

Your understanding is correct. Your spouse should not have access to your information. However, this may be a technical...not a HIPAA...issue. If your spouse is the named insured, he or she may need to register the family on the website before any access can be given by that means. After registration, under HIPAA, each adult individuyal should have access to their own information.

I don't see any problem either. I agree with mroberts.

Benefitsmom is correct. Unless the SPD is also the plan document, HIPAA privacy language is not required to be in the SPD. In fact, there are legitimate reasons why it should NOT appear in the SPD. HIPAA privacy mandates a "Privacy Notice", which has its own content and disclosure requirements. This document should serve in place of the SPD for privacy issues.

Unless I am missing something fundamental here, it sounds like the employer is allowing everyone 31 days from the date of eligibility, which is perfectly acceptable.

I agree with jbentz. POA is never required by HIPAA, however the POA may permit the employer to act as the "personal representative" of the individuals. If the insurer is going strictly by HIPAA's rules, an authorization will permit release of any information, including specific diagnoses. However, there is nothing preventing the insurer from having more restrivtive policies.

If you take the position that the advocacy/customer service activities taken on behalf of participants are EMPLOYER functions, this is posible. However, note that the authorization form to be executed will be that of the insurance carrier, not the employer or group health plan. You should verify with the insurance carrier that you will be able to operate in the manner you describe. If the insurance carrier is amenable (they most likely will be) and it is made clear to participants that HR is assisting in its role as employer, this should not negatively impact your exemption from the administrative requirements of HIPAA.

I second this, as Leonard and I share the same birthday.

I don't think a BAA is needed here. This seems like enrollment & eligibility information held by the employer, which is specifically excepted from the definition of PHI.

Well, the amendment needs to be effective April 14, 2004 (for small plans). There's nothing sayiong that it can't be adopted retroactively, but the plan is in violation until the amendment is adopted.

First, the cafeteria plan isn't what need to be amended. A health plan (including a Health FSA) attached to the cafeteria plan is the entity/document that must be amended. HHS, unfortunately, does not produce "snap on" amendments like the IRS for pension plans. The amendment must be drafted individually. However, the required provisions are stated in the reg at 164.504(f)(2). You can just lift the language from there.

I agree with Kowen. The rules you describe are not mandated by HIPAA, however, there is nothing preventing your employer from establishing this policy. If your employer believes that this is necessary to comply with HIPAA, however, he is incorrect.

VEBAGuru: I think she's asking specifically about HIPAA Privacy. Is there an actual health plan attached to the VEBA? That is the entity/document that would need amending.

Sorry, I re-read your question, and want to clarify something: A plan which meets the exception (under 50 participants and entirely self administered) is NOT a group health plan for HIPAA purposes. Therefore, no amendment would be necessary. I do want to reiterate that it is very rare for a plan to be able to meet this exception.

Not necessarily. The SMM is necessary for any change in the plan document that would affect the content of the SPD. There is no requirement that the privacy procedures be described in the SPD, so it is possible to take the position that no SMM is necessary.

Kwong, the short answer to your questions is "no". Self-administered, for HIPAA purposes, does not just mean that the plan administrator is the employer. If there is an outside TPA, the plan will not meet this very narrow exception to the rule. TPAs when acting on behalf of self-funded plans (like FSAs) are not covered entities under HIPAA. They are business associates of the covered entity, which is the plan.

Fully insured carriers ARE CEs, there's no question about that. I seriously doubt you'll be able to convince all of your carriers to act as an OHCA. Each carrier will issue its own separate privacy notice.

For what purpose are you considering an OHCA? If you are self funded, there is no need (and no possibility) of forming an OHCA with carriers, as TPAs are not covered entities. Do you mean consolidating all of your health "plans" into an OHCA? This is certainly possible, and permits you to issue a single Privacy Notice. There does not appear to be any requirement that an OHCA be formalized or documented in any way.

I'm not sure where it is in the pramble, but I have been assured by HHS reps that the estate representative is considered to be the individual for purposes of HIPAA. Therefore, the estate representative could receive PHI from any covered entity, and could execute authorizations on behalf of the individual. I don't know if this answers your question precisely, but I thought it might be helpful.

The answer to this one is a bit odd. Enrollment information (such as what you are describing) is PHI when held by a covered entity (like the plan). However, HHS has drawn a practical line here, as enrollment information is legitimately held by the employer both in its role as plan sponsor and as employer (for example, for determining premium withholding from active employees paychecks). Enrollment and eligibility information, when held by the employer as employer, is outside the definition of PHI. I think you can make the argument that this information is held by the employer in its role as employer, and is therefore not sunject to HIPAA.

164.502(e)(1)(ii)(B).