Jbentz

Christine, I am sorry, I did not include the regulation references. 160.103 contains the definitions for a covered entity. (1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person Covered entity means: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. 164.520 contains the information regarding the Notice itself, with different requirements for providers and health plans. Let me know if you need anything else, I will be glad to help.

Yes, the hospital and the plan are two separate covered entities. You could combine them, but i do not reccommend it. There are different issues with each and for us, it was much easier to keep them separate. We have one for patients, we have another one for our health plan (members).

No, I am not confusing nurses with NPs. I am fully aware of the difference and in the clinic where I work (Indiana), the doctors do sign off on everything the NPs do and they do review each chart. I am not aware if this is a state law or just our best practices.

I am not a billing expert, but I can tell you that the cpt codes used for office visits are based on other factors, not on WHO performed the exam. It is not any cheaper to be seen by a nurse, nurse practioner, etc.... because a doctor must oversee, review and sign off on EVERYTHING that they do. So while you may see a NP for a cold, behind the scenes, the doctor is still reviewing the chart, approving meds and treatment, etc... You are still getting their expertise and supervision whether you see them face to face or not. Hope this helps.

OTC drugs are considered part of all hospital bills - it is part of the treatment while you are there. I have been in this business for 14 years and I have never seen them denied. Most hospitals will not let you bring in your own OTCs or prescriptions, they need to regulate all medications while you are there, based on your reasons for being there, other medications, etc... The EOB question will depend on the codes used by each insurance company and will vary greatly. Some plans do not pay for "take home drugs" as part of the hospital charges. These will denied, even prescription drugs. The ususal reasoning is that these are prescription drugs and scripts could have been given. That way the plan will process them as prescriptions, with co-pays, discounts, etc. I got burned on that once in the ER and have asked for WRITTEN prescriptions since. They were covered by my Section 125 plan. Hope this helps.

It does sound fishy, but I can tell you from having it, carpel tunnel during pregnancy is pretty common. I was pretty surprized by it, but my nurses and doctor told me it was a normal side effect, especally for those who spend a lot of time of computers. While it was pretty severe during my pregnancy, it cleared up about 1 year after I had my son. I would leave it up to the carriers and their claim department to investigate the supporting documentation.

My thought was that he was a covered individual before he waived coverage, so he woudl have PHI before 2000. That is what i get for thinking and assuming!

Your obligations are really going to depend on your state laws also, because most states had access laws before HIPAA. Since the other plans under the five million mark still must comply by April 14, 2004, where your intentions to have your notice all of your plans or just your medical plan? Are you going to issue different notices for the others, or use the same one? What is the wording in your NPP now? Is your issue in getting and retrieving the records that the employer has requested, or in giving the employer access to the records?

Thanks for the clarification on CBA. Based on what you said, I do not think the CBA rule applies based on that she is not going "back" on the plan until after a waiting period. If this is the true wording in the CBA, then this not apply to this situation because she does have certain HIPAA rights for special enrollment. I would look at the special enrollment rights of the CBA. I also do not think that the CBA can be excluded from the federal laws of HIPAA. Has she contacted a union rep?

I hate to sound dumb, but what is a CBA?

The Privacy Rule does not specifically state that EOBs cannot be mailed to the primary insured. So I believe that this falls under the category of "Payment." Please see the follwoing FAQ from HHS' website: Question: Does the HIPAA Privacy Rule permit a covered entity or its collection agency to communicate with parties other than the patient (e.g., spouses or guardians) regarding payment of a bill? Answer Yes. The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made. Therefore, a covered entity, or its business associate, may contact persons other than the individual as necessary to obtain payment for health care services. See 45 CFR 164.506© and the definition of “payment” at 45 CFR 164.501. However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information. See 45 CFR 164.502(b), 164.514(d), and 164.522. I think as long as you follow minimum necessary and allow for restrictions and confidential communcication, you are fine. .

Too add my two cents as a provider...we would verify for the employer if the not is ligiimate. We would not answer any other questions without a HIPAA valid authorization from the patient.

I agree that HIPAA does not allow for any employee to drop coverage due to the regulations. He can ask for a restriction on the notice (you do not have to grant it, but at least you would know what the real problem is). He can always ask for an accounting of disclosure in the future. Even if he could withdraw from the plan, you cannot destroy his PHI that you have, so he woudl not be gaining anything.

The request could be due to the HIPAA regs regarding Business Assoicates. The BAAs do state that all PHI is to be returned or destroyed. Even if you did not have a contract with them, they might be using that as a guideline.

There are both criminal and civil fines associated with HIPAA and they are both Civil Monetary Penalties CIVIL: Fine of not more than $100 per violation with an annual limit per person of $25,000 for all violations of an identical requirement or prohibition Enforced by HHS Office of Civil Rights (OCR) which may investigate complaints about a Covered Entity’s privacy practices and conduct compliance reviews HHS may attempt to resolve noncompliance by informal means – cooperation and technical assistance No right to private lawsuit by “injured” individual but can file complaint with HHS Criminal: Up to $50,000 and 1 year in jail for knowing misuse of a unique health identifier or obtaining or disclosing PHI Up to $100,000 and 5 years in jail if offense is under false pretenses Up to $250,000 and 10 years in jail if offense is with intent to use PHI for commercial advantage I believe the jail time woudl be to the CEO - they seem to the one on the cuff for other legal issues, but i do not know. I also think it depends on how your organization is set up internally. Does anyone else? What you are dealing with is an intential misuse which would need to be logged for each patient for the Accounting of Disclosures for each time it happens. I would think that the fact the would be enough to get their attention!

I have not heard of that requirement, nor can I find any reference to it in the regs or December 4th guidance.

I agree with you that the BA agreement should cover the TPA. I am finding that many of the CEs are still requiring written authorizations when they are not needed under HIPAA (payment and treatment.) With all the paperwork we now are required to do, I am reluctant to add any additional.

I ahve a listing but it is provider based, not health plan based. If you are interested in it to at least give you a basis, let me know. Also on a non-HIPAA compliant release, after April 14th, you should not be honoring them. Hipaa Mandates that the release have the 10 elements to be valid. Send it back and request the missing elements. I would also state mandates. If it was signed before April 14th, you do not have to log it anyway.

You are correct, "major players" is not the best to use. My HR department quantified it for all employees, using a simple scale of 1-4. 1 - they employee uses PHI everyday. 4 - never have direct contact with PHI. We also flow charted all the PHI to see who used the information. We now know who we have to train and to what level. We also have great documention for minimum necessary guidelines and for consistent training decisions.

I agree with Steve, train'em. I can tell you from personal experience that the training has been a huge benefit to me due to the questions and "what ifs" i recieved from my HR crew. I would do flow charting of the PHI and if the Union reps are major players, i would train them before April 14th. Judith

Why would a TPA be sending an NPP? Most TPAs are not Covered Entities, only Business Associates of a plan, so they are not required to send one. They may be contracted to provide this service FOR their clients, and i suppose that they could send their own, but i don't know why they would want to. If they are handling this for you, I believe one will suffice.

I will add one comment about the regulations and which ones apply. If you are a group health plan (and therefore a Covered Entity) under the defintion of one set of regs, you are a covered entity under all the regs and must comply with all.

Are you a Covered Entity? I think you need to take a step back and start there. If you have a health plan and the health plan is a covered enitity, then decide WHO is sending the statement. If it is not from the covered entity, rather from the employer's HR department, WHAT are you sending? Is it truly Inidividually Identifiable Health Information? Then look at WHY you are sending it, and finally to WHOM. Even if you are the Covered Entity, and it is IIHI, but you are sending it the person it pertains to, i still think you are ok. The dependent info is a little if-y, depending on what it is. but if my employer is sending me a statement to let me know what benefits i currently have, i don't see that that is a problem. Anyone else?

Due to the precedent nature of this, i would ensure that you use a consistent measure and that it is listed in the plan document. Does it mention an average of 30 hours per week per quarter? Semi-annually? If in only states "30 hours per week", I would put your measure in the plan document; this will keep you from having to yo-yo her back and forth weekly. If you look for averages every 3 to 6 months, then you have a measure to keep you from discriminating either way and it can be used for all employees.

Do you have a signed release from the patient/employee?