Steve72

A BAA may be part of another agreement. The plan administrator could sign the agreement. As you point out, it should be clear that, for the BAA portion of the agreement, the plan administrator is signing the document on behalf of the plan, and not in any other role (e.g., as an employer representative.)

>>>A "designated record set" is the information used to make coverage limits and claims adjudication descisions etc.<<< and >>>An employee of the plan sponsor/employer will have some PHI such as enrollment info but not this.<<< Not exactly. If you look at the definition of DRS in the regs, enrollment information an also constitute a DRS. Also, any set of information that is used "by a covered entity to make decisions about individuals" is included in the definition. Are you telling me that a plan (not the TPA) can't hold any information that would meet this definition? >>>An employee of the plan sponsor/employer will have some PHI such as enrollment info but not this. Plan functions performed by employees of a plan sponsor or employer do not include coverage limits and claims adjudication and they would therefore have no need for the info in the "designated record set".<<< Even assuming that the DRS in question does not involve enrollment informatin, I still don't think these statements are always correct. It depends on the employer/plan sponsor. I have clients who wish to continue to perform this function, and are able do so within the requirements of HIPAA. It's not possible to set out a blanket statement that employer representatives should not have access to certain PHI. The employer plan is its own entity for purposes of HIPAA. The TPA is not the plan. Neither is the employer, of course, but employer personnel will act on behalf of the plan, and will have access to PHI as a result. There are many ways in which an employer/plan sponsor can comply with HIPAA's rules. Employer/plan sponsors who wish to continue to have a "hands on" role with their plan have more to worry about from a compliance perspective, but for some it is worth it.

Thanks, I've read them. What I am taking issue with is your statement: " From your post I get the feeling that you might be the employer, if that is so then you should not have the information, if you do I suggest that you seek legal advice regarding your possession of PHI. Although you are self insured, you are the employer, you are NOT the Plan. " Even if French is (for example)HR director at the employer, there is nothing preventing him or her from also performing a plan function. If (s)he is doing so, (s)he will have access to PHI. I am not sure what your reference to a Business Associate Agreement means. The employer/plan relationship is explicitly NOT a business associate relationship. There is no agreement required (other than the plan amendment). There will be a business associate agreement with the TPA, which COULD contractually take over the responsibility to provide access to the designated record set, but nothing in French's post indicates that that is the case.

I agree with the first part of GBurs post, however, I want to get some clarification on the second part. GBurns, you state "Although you are self insured, you are the employer, you are NOT the Plan. " Are you saying that it is not possible for an individual to act both as the employer and the plan? If so, I strongly disagree. Employees of the employer, acting in their plan function, may have access to PHI, particularly in a self-funded environment.

"HIPAA does not preempt many state privacy laws, since many are more restrictive and stringent. As the HHS says HIPAA is only a "floor". See the HHS HIPAA Q&A 89, 108, 163 etc." The California SSN law, when applied to a prescription benefit plan, is preempted by ERISA, not HIPAA. "Isn't there a Federal Law that says that SS#s should not be used for identification purposes?" The only currently effective Federal law I am aware of that limits the use of SSNs limits only the U.S. Government's ability to collect SSNs. There's nothing that stops a private entity from using the SSN as an identifier. There are rumblings that such a law is forthcoming, however. "Isn't the SS# PHI? and even if not isn't it Private Financial Information under other laws both federal and state? " An SSN is not PHI because it is not health information. The SSN, attached to otherwise anonymized health information, would make the health information PHI. State laws, as mentioned above, likely do not apply to an ERISA health plan. GLBA (which I assume is the Federal privacy law to which you refer) applies only to banks and financial institutions. Time for an editorial comment: U.S. privacy law is quite a hodgepodge. The attempt to make sector-specific laws, rather than an overarching protection such as that found in Europe has resulted in some unfortunate overlaps and even more unfortunate oversights.

HIPAA doesn't protect SSNs. California has a state law (probably preempted) which might prevent this use. There's currently not any Federal privacy law that would prevent this.

I'm not sure, but I don't see any reason why a viatical settlement company wouldn't be able to step in here. Assuming there's nothing prohibiting your employee from naming the viatical settlor as a beneficiary, they may be willing to "purchase" such a designation with a discounted up-front payment. Like I said, I'm not sure. Viatical settlors may be hesitant to accept business regarding a group health plan because of the potential for the insured to leave the group.

That's right. A plan can release enrollment information to the employer. Once held by the employer in its role as employer, the information is not PHI. However, the source of the information should be documented (e.g., request goes to HR, not benefits) to ensure no difficulties arise due to the dual nature of this information.

Enrollment information, if held by the plan, is considered PHI.

I agree. Did I see a HIPAA board momentarily earlier today? Or was I hallucinating?

I remember going there as a kid.

PHI regarding a decedent is protected by HIPAA. a disclosure for the purpose you describe would, therefore, require an authorization. You should look to state law to determine who can act as a personal representative of the decedent to execute the authorization.

GBurns: You are correct that the employer is not the plan, but it is also important to note that neither is the broker. Nothing Kova has said has led me to believe that he is in any way a covered entity. Accordingly, his only HIPAA obligations will be through a business associate agreement. Since this client is not yet subject to HIPAA, there will be no such agreement. HIPAA will not serve as a barrier to disclose this information.

Sooo......He was fine when there was NO Federal law enforcing the protection of health information, but now that one is in effect, he's got a problem? I am aware of nothing in HIPAA that would permit a midyear change without a change in status.

GBurns: Check HIPAA 164.504 (f)(2)(ii)(I).

It depends. From what I've seen, that's the more common approach. However, there's nothing stopping an empolyer from using a single document to administer all of the plans. It would need to have sufficient information to operate each plan, however, and would probably be one heck of a document.

Absolutely. It's called a "wrap plan", and permits the employer to file a single 5500 for all of the benefits.

Would it be possible for de-identified information to be used for this purpose?

Why does the township want the information?

I suppose an argument could be made that this assistance is a payment or heath care operations function, and no authorization would be required, but that would require training all customer service personnel and bringing them within the HIPAA "firewall". I agree with DMK that the safer course of action is to obtain an authorization.

GBurns: The employer is not a covered entity, and therefore cannot hold PHI, except in its role as plan sponsor. If enrollment information is part of the employment record of an employee, it is explicitly excluded from the definition of PHI. The following is cut 'n' pasted from the preamble to the August 6, 2002 final regs: One commenter requested clarification as to whether the term ``employment record'' included the following information that is either maintained or transmitted by a fully insured group health plan to an insurer or HMO for enrollment and/or disenrollment purposes: (a) the identity of an individual including name, address, birth date, marital status, dependent information and SSN; (b) the individual's choice of plan; © the amount of premiums/contributions for coverage of the individual; (d) whether the individual is an active employee or retired; (e) whether the individual is enrolled in Medicare. Response: All of this information is protected health information when held by a fully insured group health plan and transmitted to an issuer or HMO, and the Privacy Rule applies when the group health plan discloses such information to any entity, including the plan sponsor. There are special rules in Sec. 164.504(f) which describe the conditions for disclosure of protected health information to the plan sponsor. If the group health plan received the information from the plan sponsor, it becomes protected health information when received by the group health plan. The plan sponsor is not the covered entity, so this information will not be protected when held by a plan sponsor, whether or not it is part of the plan sponsor's ``employment record.'

Enrollment information is PHI if held by the plan (it's not PHI if held by the employer). Because it's not clear from whom the COBRA administrator is receiving the information, some plan sponsors are insisting that such entities sign the business associate agreement. From the plan sponsor's perspective, having a BAA in place with a COBRA administrator shouldn't do any harm, absent unusal provisions in the agreement.

I'm not familiar with that requirement either. It would seem to be counter to the HIPAA rules to require an additional disclosure. Of course, whether a requirement is logical doesn't necessarily mean anything....

I think it's ambiguous whether multiple health plans "wrapped" together could constitute one or more plans for HIPAA purposes. Whichever stance the employer takes, all activities should be consistent with that stance (i.e., if the employer takes advantage of the small plan extension, the plans should be treated as separate entities come April 14, 2004).

In my opinion, I don't think there is any requirement to update the SPD. The amendment to the plan does not affect required SPD provisions. Additionally, each new participant will already be receiving a copy of the notice.