Jbentz

I agree with Jeannine regarding the information on the EOB. This can be considered part of the payment process and is allowed without a written authorization.

I have not heard of this requirement, and a POA is an overkill if you just want to help get a claim paid. We are a clinic with over 150 physicians, and I have been their Privacy Officer for three years. I have never seen a POA for an employer, nor would we request one. We would, however, request a HIPAA compliant Authorization before releasing information. There are many kinds of POAs, ranging from financial, health, or all empowering. I will let the legal gurus chime in on this, but I would never require a POA to release information to an employer. Perhaps there is a state law requiring this, but I have never heard of this requirement.

I agree that if you use a HIPAA compliant auth form that will be between the EMPLOYEE and the insurance company, with permission to release the PHI to the EMPLOYER/benefit specialist you will not be required to comply with the other admin duties. The purpose listed should be very clear that it is for assisting the employee with claims adjudication (you may even want to list specific date of service). With the correct auth form, you are not giving the group health plan any PHI.

We do have our PATIENT Notice translated into Spanish, but because of the Medicare and Medicaid guidelines, not HIPAA. For our plans, we only have ours in English.

I know we were required to do this for our ACE and OHCA, so I did a search of the regs. I found under 164.520 "(d) Implementation specifications: joint notice by separate covered entities. Covered entities that participate in organized health care arrangements may comply with this section by a joint notice, provided that: (1) The covered entities participating in the organized health care arrangement agree to abide by the terms of the notice with respect to protected health information created or received by the covered entity as part of its participation in the organized health care arrangement; (2) The joint notice meets the implementation specifications in paragraph (b) of this section, except that the statements required by this section may be altered to reflect the fact that the notice covers more than one covered entity; and (i) Describes with reasonable specificity the covered entities, or class of entities, to which the joint notice applies; (ii) Describes with reasonable specificity the service delivery sites, or classes of service delivery sites, to which the joint notice applies; and (iii) If applicable, states that the covered entities participating in the organized health care arrangement will share protected health information with each other, as necessary to carry out treatment, payment, or health care operations relating to the organized health care arrangement. So yes, I think yit is required.

As a provider, we accept these as documents, as long as healthcare is included. We accept them under the personal representative clause under HIPAA and we only require that we have a copy in the patient's files.

If they won't accept that argument, even if it does fall under the HIPAA regulations, you can use the information for operations purposes. This would qualify under 164.501, definitions of operations: (3) Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of § 164.514(g) are met, if applicable; Either way, covered or not, I think they can release that information to you.

AshleyL, I know the on-site, off-site makes no sense to me either. We have both, so I always throw in the "medical care is secondary or incidental" part of the regs. My first requirement in my HIPAA employee training to "please leave your common sense outside. You will not be needing it for the next two hours." )

jgf810, It does sound like that each plan is a separate covered entity, but you need to go to to FR 164.104 in the HIPAA regs and see if you meet the definition of an Affiliated Covered Entity (ACE) for each. There are certain requirements you must meet, but it does make things easier for the paperwork - notice, BAAs, etc... I have done this for providers who are covered entities, but I read the regs and I think you can also do it for health plans. It is worth checking out.

No, I don't the plan is a CE, based on the following Q&A from the OCR's website: "Are the following types of insurance covered under HIPAA: long/short term disability; workers'compensation; automobile liablity that includes coverage for medical payments? Answer No, the listed types of policies are not health plans. The HIPAA Administrative Simplification regulations specifically exclude from the definition of a “health plan” any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits, which are listed in section 2791©(1) of the Public Health Service Act, 42 U.S.C. 300gg-91©(1). See 45 CFR 160.103. As described in the statute, excepted benefits are one or more (or any combination thereof) of the following policies, plans or programs: - Coverage only for accident, or disability income insurance, or any combination thereof. - Coverage issued as a supplement to liability insurance. - Liability insurance, including general liability insurance and automobile liability insurance. - Workers’ compensation or similar insurance. - Automobile medical payment insurance. - Credit-only insurance. - Coverage for on-site medical clinics - Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits. " I think you have an arugument whether it is on-site or off-site, because it it secondary or incidental to your other insurance benefits. It also does not sound like you have any type of enrollment, etc....

As for HIPAA privacy regs, you are not affected becuase you are not a covered entity. The company that you contract may be, if they are part of a clinic or a hospital, but that depends on how the have catagorized themselves under HIPAA. The company may have to pass out Notices, etc... (the Occ Med department at my clinic does.)

I do not think it qulaifies under FMLA for the exact same reasons. Do you have a policy for an LOA when it is outside of FMLA? Depending on the policy wording, this may qualify.

I don't know what state you are in, but most states have some kind of HIPAA organization. Indiana's is www.indianahipaa.org. They are a wealth of knowledge. I would think that SHRM would also have some info. Also try www.hipaaadvisory.com for overall information.

A few other thoughts... Since the patient is in a clinical trial, find out exactly what cost the patient is responsible for. Most clinical trials compensate the participants in some way. It is possible that the procedure or the drug that the trial is for will be provided; they may just be looking to cover hospital and ancillary services. I would also ask WHY they consider it experimental in nature. This will allow you to research find out under the FDA is THEY consider it experimental. Good luck.

I use the "three legged stool" method for my analysis for BAs that AHIMA (American Health Information Management Association) recommends: 1) Are you sharing PHI? 2) Are they outside your workforce? 3) Are they doing something on your behalf? All three answers must be yes or they do not qualify. If your service provider still disagrees, then ask them to tell you why under the definition under 160.103. I also ask for them to document their decision so I may send it to our attorney and to the OCR for clarification. That usually brings them around to my way of thinking. Let me know if you need any further help, will be glad to help.