Steve72

Insurers are not considered business associates of the fully-insured plan.

I agree with rosskeene's post, and would add that complications could arise if your plan states that "spouses" are entitled to COBRA. An insurer (or reinsurer, in a self-funded arrangement) will likely want to exclude same-sex spouses from COBRA eligibility due to DOMA, regardless of the manner in which the plan document is interpreted. This could lead to the employer being bound by the plan document without a valid coverage option.

PHI is individually identifiable health information that is created or received by the plan. The claims forms would clearly be PHI once they are held by the plan or its business associates, IMO.

For what purpose are the records held by the employer? IF these are records held outside of the health plan (for example, FMLA or absence records), then HIPAA does not apply.

GBurns: Aye, there's the rub. It depends on how narrowly the "enrollment/disenrollment" exception is read. I can see both sides. As a practical note, HHS has said that it is aware of a lack of clarity surrounding certain issues, and will not take a hard-line enforcement approach. They say that they've engaged in a few outreach actions, but have taken an educational, rather than a punitive approach.

Again, I do not disagree with your analysis from a policy perspective. However, the HIPAA rules were drafted for providers, not employer sponsored plans. In many ways, HHS has attempted to alter the rules applicability to ERISA plans to ensure that business operations can continue. Your statement regarding the underlying theory is correct, and is, in fact, why I think this argument flies. Health information (e.g., enrollment information) is (arguably) not being transferred from a covered entity (the plan), but from the employer. The employer is under no HIPAA obligation to protect enrollment information, neither is its contractor.

Without reading the statute, I would have to say no, as any state statute which attempted to impose mandated coverages on an employer sponsored plan (other than through governing a contract of insurance) would be preempted.

As a former DOL guy, I think you are right on the money, Kirk.

"But I will freely concede that you have a good faith argument. " Works for me. I also freely concede that this argument is far from doubt. When there is a question, I always recomend seeking the BAA. However, some service providers are adamant that they are acting on behalf of the employer. If so, I believe the above is the stance to take. As I may have said before, I believe that HHS's understanding of the ERISA universe is.....less than sophisticated. Many of these issues may need further guidance, which may not be forthcoming.

Intellectually, I agree with your reasoning, kowen, however, looking at it in that manner would render the statement that enrollment and disenrollment information held by the employer and not the plan is not PHI meaningless. I apologize for the ungainliness of that last sentence.

Kirk, you (and kowen) raise an interesting point. I do not think it changes the result, however. The Social Security determination, until it is received by a covered entity (or the business associate of a covered entity) is not PHI. If you take the position that the COBRA service provider is acting on behalf of the employer and not the plan, then the receipt of the determination will not impact that determination...unless the determination is received directly from the plan. I agree that this seems counter-intuitive. One would think that the determination would be one of the pieces of information that would be most protected. Due to the manner in which HIPAA was crafted, however, only information used or disclosed by a covered entity is protected. Once the information is disclosed outside a covered entity, it is outside HIPAA's protection.

BenefitsLawyer is correct. Many COBRA service providers are taking the position that they act on behalf of the employer and not the plan. It is a defensible position, in my opinion.

Just wanted to add my agreement that the union is neither a BA or the personal representative of the plan.

Although Mary C's post is correct, it is important that sponsors of fully insured plans make sure that their insurer is willing to go above and beyond the requirements of COBRA. Otherwise, the employer runs the risk of being on the hook for services that are not covered by the insurance contract.

Cgross is correct that state laws may apply. The HIPAA rules you cite....portability, pre-ex limitation, etc. are NOT applicable to non-group insurance.

I agree that this would be a violation of the rule as drafted. However, it does appear to comply with Medicare's own procedures for accessing information. HHS has done a couple things that, in my opinion, violate the letter of the law of HIPAA (permitting temporary verbal authorizations and spousal access as described, for example). The safest route is to follow Kowen's advice. If the employer determines that this would create an administrative nightmare, they may be able to put forward an argument that HHS has permitted this type of process for its own covered entity functions.

Well, Treasury regulations won't affect the ERISA reporting requirements. If sponsored by an employer, the HSA would probably be subject to the same SPD and documentation requirements as other ERISA plans (e.g., health FSAs). As you point out, the high-deductible insurance plan would also be subject to the requirements. They could probably be "bundled" for documentation purposes, like other welfare plans.

GBurns: "I thought that Cal-COBRA just like COBRA applies to employers not insurance companies and HMOs. I thought COBRA applied to insurance coverage/arrangements not to health plans." My understanding is that Cal-COBRA is an insurance law that governs contracts of group insurance issued in California. COBRA applies to the plan sponsor. A plan sponsor may not offer a group health plan (insured or uninsured) that does not comply with COBRA. We may very well be saying the same thing here.

The POP plan (now) never has to file a 5500. However, the underlying health plan (unless it meets the exceptions) does.

I don't think you have a benefits test issue, in that 105 only applies to the fully insured portion of the plan. For purposes of the benefits test of 105(h), I do not think you compare the self insured plan to fully insured benefits. (The regs state that benefits offered "under a plan" may not discriminate. I read this to mean benefits under a self-insured plan.) You state that there are HCEs and non-HCEs in both plans. What is the distinction being drawn? If you have an arrangement that would satisfy the eligibility test (see 1.105-11©(2)), I think you are OK from a discrimination standpoint. That said, the 105(h) rules are FAR from clear (IMHO), and you could do worse than restructuring as Kip Kraus suggests.

As has been pointed out, there are significant compliance issues (under both the ADA and HIPAA) for the program you describe. It sounds like you're trying to meet the requirements of a bona fide wellness program. To answer your specific questions, you CANNOT condition the discount on success in the program. You must also offer "alternative means" of satisfying the requirements for individuals who cannot satisfy the current requirements of the program.

I don't think that's what mbozek said: "ERISA preempts all state laws that pertain to a self funded plan which is not a MEWA, including insurance laws" The second part of the quote is important. State insurance departments cannot regulate a self-funded plan. ERISA does not preempt a state insurance law to the extent it governs the insurance provider (e.g., a state can set standards for group contracts sold within its jurisdiction). This has an effect on fully insured plans, but will not impact a self-insured plan, as there is no group insurance contract involved.

...Is National Talk Like a Pirate Day. www.talklikeapirate.com Arrrrr.

If the supervisor is not involved with the health plan, there are no HIPAA implications. That doesn't mean that there aren't state law privacy issues, however.

Here's a quick starting point that can let you know where to look: http://www.cobrahealth.com/statelawdirectory.htm