Steve72

Naaaaah, this stuff is fun The requirements for designation as a hybrid entity are in 164.504©(3)(iii) and 164.530(j). Essentially, you just need to create and retain a corporate document which designates the covered entity as a hybrid entity. There doesn't appear to be a filing requirement, just a documentation requirement. The health care component can be part of the OHCA. (Slightly controversial alrternative follows) Alternatively, you could consider it a separate plan. Because it is likely that the healtyh care component is a "small plan" for purposes of HIPAA, you can take advantage of the automatic one-year extension for this plan. During that period, it is possible HHS will clarify that an FSA is not a health plan. There are rumblings that this may happen.

Maybe. HIPAA incorporates state law for purposes of determining whether an individual is a "personal representative". A company should establish procedures that recognize the law in each state in which it has employees. EOBs may be sent to the employee-participant. However, it is unlikely (for example) that a detailed discussion of claims history regarding an adult child can be disclosed to a parent without authorization.

Why does the broker interface/communicate with the TPA/carrier? If it's for a plan function, there is probably a need for a business associate agreement

You're right. There does not appear to be anything formal that an employer should do to designate an OHCA. The regs say specifically that multiple health plans can be treated as an OHCA, however. So long as the NOPP accurately describes the practices of each of the plans, a joint NOPP can be issued.

If a medical provider sends PHI in error to the employer, the medical provider is in trouble. However, at that point, the medical information is outside the HIPAA box, and no longer technically subject to HIPAA rules. However, as you have alluded, there are state law considerations. Misuse of health information received by "accident" would be a very bad idea, in my opinion. There have already been state court rulings that hold that the HIPAA rules are the standard of care for common law breach of privacy claims against non-covered entities involving health information. As for your second question, see 164.508©(1)(iv).

The activities you describe appear to be performed on behalf of the employer, not the plan, therefore, no business associate agreement is necessary. However, you should review the services provided by the broker. I know many brokers offer "value added" services (like customer service activities for enrollees). It is possible that some of these services may be business associate activities.

You can send a joint notice if you designate all of your plans as an "Organized Health Care Arrangement". You just need to make sure the procedures in the notice apply to all of the plans.

Section 164.534 of the Regs contains the compliance dates. It specifically states April 14th of 2003 and 2004. However, both of thos (as well as the EDI compliance date) are business days, as far as I know. What is your concern?

That's what I've advised clients.

In addition to the administrative requirements discussed above, you will have to ensure that the individual who receives the information is appropriately trained to utilize PHI solely for permitted purposes for the FSA, and that the information does not migrate to the employer or other benefit plans. There is nothing in HIPAA preventing you from receiving the information in the manner you describe, so long as PHI is adequately protected at all stages.

I agree with Misty, except the return is the greater of the underpayment rate she describes or the actual return for that period.

Agreed, except I think you meant that the FSA WILL be a self-insured plan.

I agree with GBurns. HIPAA specifically states that Summary Health Information may be used for premium bidding. The release of PHI beyond SHI to the employer is something that will be prohibited by HIPAA. I would advise contacting the insurer and informing them that they should change the report to make it SHI. They should be amenable, as this would be a HIPAA concern of theirs as well.

As currently defined, FSAs are "covered entities" under HIPAA. Kip's statement that: "If you, as the employer are processing the FSA claims then you may be receiving PHI and I would say you might be a covered entity under the HIPAA privacy rules." Is close, but not entirely accurate. An employer is not a covered entity. The plan is the covered entity. It is vitally important that a plan sponsor separate these two functions. PHI obtained by the FSA should not be disclosed outside the FSA. You should "firewall" employees who perform services for the FSA to ensure that unlawful disclosures do not occur. However, most stand-alone FSAs will be "small health plans" under HIPAA, and have an extended compliance date (April 14, 2004). HHS has made some rumblings about possibly exempting some FSAs from HIPAA, but there has been nothing official released yet.

Only if you also want to pay another excise tax under Section 4975.

Take a look at ERISA Reg 2510.3-1(j). That's what the vendor is hanging its hat on. The "endorsement" question in 2510.3-1(j) is a very fine one, and one which the entities that sell these products tend not to be very well informed of (my high school English teacher would kill me for that last sentence). Courts have reached different conclusions on what level of employer involvement constitutes "endorsement". If you are solely perfoming ministerial tasks, you are probably OK, but some courts have found that something as simple as distributing information on the plan on employer letterhead is sufficient to merit ERISA coverage. It is impossible for the vendor to correctly make a blanket statement that "ERISA does not apply". In order to avoid ERISA, the employer must distance itself almost entirely from the benefit.

I think consistency is the most important thing to have. If you have individuals who have an established need to use PHI, train them. If they do not have this need, institiute policies that state that they should not use PHI.

Train 'em. These people (as well as internal audit, or other individuals who may come into contact with HIPAA information in the regular course of their duties) should be brought into the HIPAA box. This means training the individuals and describing their duties in the NOPP and amendment. The confidentiality agreement will likely be insufficient.

I agree with GBurns. Is there a reason you are maintaining this form as part of the employee file? Is there any reason you need the information? If not, it's better to change your current practice than to try to comply with HIPAA's requirements.

What PHI is contained in the enrollment forms? Enrollment information itself is not considered PHI when held by the employer. You should also look at issues such as customer service, to determine whether insurance company representatives are disclosing PHI to your employees who call on behalf of participants. Absent modification, this practice is probably a "use or disclosure beyond SHI or enrollment/eligibility information" that would eliminate the exemption from the administrative requirements. You've really got to review your current practices to make sure no PHI is slipping through the cracks. Most employers are truly amazed when they discover what information is really coming and going from their benefits department.

But the cost to the employee to "enable the employee to be gainfully employed" is $225. The fact that there would be no additional expense if the employee were to utilize the services when he or she were sick should not affect the reimbursability of the expenses.

The biggest obstacle, in my opinion, is actually tracking the flow of information in your company currently. Most HR directors believe they understand who uses or needs particular information, but when a detailed review is done, they are almost always surprised at the results. Tailoring a survey or other tool to get all of this information from all aspects of your operation is the first difficulty.

>>>I just hate to start feeling that HIPAA privacy relating to the health plan is violated when birth announcements and updates on hospitalized employees are promulgated when the health plan had nothing to do with this<<< I feel comfortable that you are safe here. As long as individuals are not disseminating information that was received through plan roles, there are no HIPAA implications from the employer standpoint. >>>Our employee handbook contains a statement indicating that certain employees or supervisors may be in receipt of confidential medical information and that they are not permitted to share such privileged information with friends, family, or coworkers except as specifically authorized. <<< If this provision is to apply to all HR personnel, you may want to consider changing the word "authorized" toavoid the impression that you are talking about a HIPAA authorization.

Agree completely.

The employer must determine which of its employees need access to PHI to perform their job duties. Information related to enrollment and eligibility is not PHI when held by an employer. Similarly, general benefits related questions (are chiropractic services covered?) are not PHI. If an individual employee discloses his or her own information to a non-HIPAA component of the employer (e.g., the HR department in your example), the information has been disclosed to the employer (a non-covered entity) in a permissible manner and is no longer subject to HIPAA. Note, however, that this is an area that is just begging for a lawsuit based on the misunderstanding of the employee. If the empoyer wishes to keep HR employees out of the HIPAA box, this should be clearly communicated to all employees (as well as being described in the plan amendment). Note also that removing these employees from the HIPAA box means they will be unable to access PHI from sources other than the participant (e.g., they will not be able to contact an insurance company or TPA to clarify an EOB question). HIPAA privacy will apply to any employee who accesses PHI as part of his or her job function. The employer should describe these individuals and the functions they perform in the plan amendment.