Steve72

That's certainly the safest solution. The problem, as you pointed out earlier, is in a small company where, for example, the HR Director is also the Privacy Officer. (Four commas in one sentence. I'm definitely going to grammar purgatory for that one.) If the individuals input is necessary in his/her role in both areas (HR and Privacy), then the solution you propose may not be possible. In this case, I think it becomes more analogous to a discrimination-in-hiring issue. The HR Director should document as clearly as possible the non-PHI related reasoning for his/her decision. That way, the company will have a record to fall back on if HHS comes knocking.

The short, semi-cynical answer is, he can't because HIPAA says he can't. It's the same type of analysis used when an officer acts on behalf of both the plan and the plan sponsor. As you point out, this will be a difficult process, as knowledge can't be "unlearned" for non-HIPAA related functions. I don't know that there is a perfect answer for the situation you outline. If the individual believes PHI has made its way out of the plan function and intothe employer function, there is a HIPAA issue. It would probably be up to a court to decide whether the HR director adequately firewalled the information from use in employment decisions.

HIPAA requires segregation of information, not individuals. There is nothing preventing a person from performing tasks both inside and outside the "HIPAA firewall", so long as PHI received in the course of covered duties is not used for non-covered functions. Such individuals will have to be trained that they "wear multiple hats" in their employment roles, and that they must keep their duties separated. Similarly, a HIPAA privacy officer may, and usually does, serve other functions for the employer.

While it is not clear, the general consensus is that multiple fully insured plans combined as a wrap plan for 5500 filing purposes are combined for determining whether the $5 million threshold. If the plans are not combined, then the premiums for each could be considered separately. As a practical matter, however, the insurance company vendors will be coming into compliance for their own purposes this year. Many of the compliance requirements for fully insured plans are deferred to the insurance companies. Employers in the circumstances you describe may want to consider aligning their processes with the (hopefully) compliant processes of their vendors regardless of the actual compliance date.

No. For the transaction standards, the small health plan definition is immaterial if an extension has been filed for. If the plan wants the additional year for the PRIVACY standards, you should look at the last full fiscal year that ended before April, 2003.

Google can do anything.

Because the small plan definition is relevant for a one-year extension, you look at the annual receipts for the last full fiscal year before April, 2003. See here: http://questions.cms.hhs.gov/cgi-bin/cmshh...ated=1031601197 for information on how to calculate the "annual receipts" of a health plan. -Edit below- April, 2003 is the relevant year for the one-year extension of the Privacy Rule. If you are interested in the automatic extension for the transaction standards (and did not file for an extension) the relavant date is October, 2002.

You said a mouthful. The answer depends on what type of covered entity you are talking about. This being a benefits board, I assume you are referring to an employer-sponsored health plan. The answer will differ significantly if you are talking about an insurer, provider or clearinghouse. First, HIPAA's preemption is completely different from ERISA's. HIPAA sets a floor, but does not preempt any state laws that are more restrictive (there are many). A great database of health privacy laws by state can be found at: http://www.healthprivacy.org/info-url_noca...o-url_nocat.htm There are differing opinions as to whether a state privacy law may be made applicable to an employee benefit plan by HIPAA's almost "reverse preemption". The preamble to the final privacy rule says that HIPAA does not affect ERISA preemption, so I am of the opinion that state privacy laws will continue to be inapplicable to employer sponsored benefit plans. There are firms who have reached the opposite conclusion. Feel free to drop me an email if you want to discuss specific state laws.

.....That's your Federal government.

The regs require that a plan document be amended to state that the plan will only disclose PHI to the employer once it receives a certification from the employer that the PHI will be used for limited purposes. Causing the plan to disclose PHI to the employer, which is then used by the employer for purposes that would not be permitted by HIPAA, is arguably a failure to follow plan documents.

That is correct, see Section 164.530(k)(1)(ii) of the Privacy Rule. Additionally, if the employer receives PHI beyond SHI or enrollment, it should review the purposes for which the PHI is utilized. Even though employers are not subject to HIPAA's sanctions, the fact that an amendment has been made to the plan would make any non-HIPAA compliant use a violation of ERISA. I've always thought that little end-around was a clever move by HHS.

Carsca is right. However, there have been some rumblings that HHS is considering exempting FSAs from the privacy requirements. As far as the second part of SCUDDESLER's question, a fully-insured medical plan is a covered entity. Such plans are exempted from most of the administrative requirements of HIPAA (e.g., appointing a privacy officer). The sponsor will still need to enter into business associate contracts with business associates and amend documents. As an aside, the empolyer should carefully review its practices to ensure that no PHI beyond SHI is received. In my experience, many employers who make this assertion are unaware of the activities of their own HR or benefits employees.

It depends on the policy. If drug testing is performed on-site, by a clinic or employee physician, the clinic/physician MAY constitute a covered entity under HIPAA and be subject to all requirements. However, if the drug testing is done off-site, the employer will need to follow whatever requirements the off-site facility requires. If results are sent directly to the employer, the employer will probably need to require employees to execute an authorization to release the results on a form acceptable to the drug testing facility.

I agree with Mal. I have seen several Davis-Bacon plans with vesting schedules that prevent the participants from ever vesting. I know the DOL is aware of, and doesn't like, the issue, but they don't appear to be able to do anything about it.

Mandated Health Benefits - The COBRA Guide, by Paul Hamburger (I am not affiliated with Mr. Hamburger or Thompson publishing)

You can always disclose PHI to the individual to whom it pertains. If you are transmitting benefit statements that pertain to an individual employee to that employee, there should be no HIPAA implications (other than the fact that you should use appropriate safeguards to prevent the unnecessary disclosure of the information). How are you going to determine to whom to send the benefit statement if you remove all identifiers?

As for your second question, the plan should obtain an authorization if it utilizes PHI for anything not permitted by the rules. What are you planning to do with the information?

HIPAA uses a different definition of "plan" than ERISA, which causes quite a bit of confusion. A "health plan", for purposes of HIPAA, includes both an ERISA plan and an insurance company. A health plan is required to be able to conduct covered transactions electronically. However, most employer sponsored health plans conduct these transactions through an insurer or TPA. Most insurers and TPAs are in the process of adapting their procedures to comply with HIPAA's EDI requirements (because the vast majority of such entities are health plans themselves). If an employer sponsored health plan depends upon these entities to conduct its transactions, it will be compliant when they are. For this reason, it is vitally important to track the progress vendors and TPAs are making towards compliance. Note that the responsibility to comply still falls upon the employer sponsored health plan. You should have filed an extension for the plan and noted that you were depending on vendors and TPAs. Otherwise, the plan may be in technical violation of the EDI requirements.

Papogi: What if the election were made a condition of employment? I.e., the election to take additional cash compensation or benefits was a one-time election at date of hire, and was not subject to annual changes.

1) There is no exception for governmental entities or municipalities. A municipal-sponsored health plan is a covered entity. 2) N/A. A covered entity must enter into a BAA with any third party that meets the definition of a business associate. 3) Business associates are not directly governed by the privacy rule (except in their covered function, if also a covered entity). The covered entity has the responsibility to ensure the contract is executed and is adequate. However, this does not mean that business associates will not initiate this process. Entities that perform services as business associates are, for the most part, well aware of these rules, and are acting to ensure that they can continue to do business.

Whether you are wrong or not depends on whether the testing entity is a covered entity. Many employer clinics maintained for this purpose are able to escape from HIPAAs definition (for example, because they do not conduct any covered transactions electronically). Even if the testing entity is a covered entity, however, there is a (relatively) easy out. Remember that the employer itself is not covered by HIPAA's rules. There is nothing in HIPAA that would prevent an employer from requiring an employee to submit to drug testing and executing an authorization for the employer to receive the information. Failure to execute the authorization would subject the employee to disciplinary action. HIPAA prevents covered entities from conditioning the provision of treatment payment or healthcare operations on the execution of an authorization. It does not extend similar restrictions to employers.

When you refer to the "administrator unit", I assume you mean those employees who work on behalf of the plan. IIHI received by these individuals is PHI, and should be used and disclosed in accordance with HIPAA's rules. A signed release will not permit the disclosure unless it is a HIPAA compliant authorization (including the requirement that the authorization have a specified expiration date or event). A covered entity may release PHI for treatment purposes of a health scare provider. If the individual requires treatment, the administrator may disclose relevant PHI to the clinic, subject to the minimum necessary rule. However, it sounds as if the PHI is bveing released prior to any tretment need. This would likely go beyond the permitted disclosure, and would almost certainly violate the minimum necessary rule.

The newly released Rev.Rul 2002-80, discussed in today's Benefitslink newsletter, seems like helpful reading in this discussion.

I disagree with the second part of Kip's post. A COBRA participant must be granted the same rights as employee-participants. If there is a special enrollment right, then the COBRA participant must be given the opportunity to enroll. That said, I don't know whether there's a "loss" of coverage here. IS there any difference between the wife's active and retiree dentla plans? If the retiree plan is inferior, there could be a loss of coverage granting a special enrollment right.

Link to Chapter 393 of Hawaii Revised Statutes: http://www.capitol.hawaii.gov/hrscurrent/V...6-0398/HRS0393/