Guest snapier Posted May 24, 2002 Posted May 24, 2002 Good day, Has anyone started to work on the new HIPPA standards. Are you creating a policy, revising one or what steps are you taking as these provisions continue in Limbo?
Guest BenefitsLawyer Posted May 24, 2002 Posted May 24, 2002 The HIPAA privacy regs are not in limbo. They will take effect on 4/14/03 (small plans get until 4/14/04). Some revisions were proposed in March, but for health plans those proposed revisions are relatively minor. The Bush administration has repeatedly refused to delay the effective date. (The Administrative Simplification Compliance Act allows an extension only for use of the electronic transaction standards and code sets, NOT for privacy.) I represent health plans and TPAs, and the TPAs are already almost completely ready--policies and procedures in place, privacy and complaints officers on the job, training in progress, etc. The self-administered plans are a little farther behind, but will be ready in plenty of time for 4/14/03. There is a good set of customizable policies and procedures on the snip.wedi.org website, and the proposed revisions issued in March include, in an appendix, a model business associate agreement. Those are good places to begin.
Linda Posted May 27, 2002 Posted May 27, 2002 BenefitsLawyer -- I would really like to get your opinion about the roles of the third party administrator and the employer under the HIPAA privacy regs with respect to a self-insured group health plan. In particular, what if any right or obligation does a third party administrator have to verify an employer’s compliance with 164.504(f)? The third party administrator is not the group health plan. Rather, the third party administrator is a business associate of the group health plan. 164.05(f) is based on the fiction that the group health plan is disclosing health information to the third party administrator. (In reality, the third party administrator gets health information from providers.) Because of that fiction, the employer and the third party administrator will need to enter into a business associate agreement. The business associate agreement is supposed to be between the third party administrator and the group health plan but, since there’s not one to sign the business associate agreement for the plan other than the employer, the business associate agreement will actually be between the third party administrator and the employer. If the employer asks the third party administrator for health information, will the third party administrator ask for the employer’s certification of compliance with 504(f)? If the third party administrator does take on this responsibility, what is the legal basis for that responsibility? If the third party administrator isn’t the group health plan, the only basis I see would be the business associate agreement. What do you think?
katieinny Posted December 10, 2002 Posted December 10, 2002 BenefitsLawyer: I tried to get on the web site you mentioned -- snip.wedi.org, but couldn't get anything. Is there a typo?
Guest BenefitsLawyer Posted December 10, 2002 Posted December 10, 2002 I'll answer the easy one first--the URL is http://snip.wedi.org Click on SNIP Workproducts, and scroll down to version 2.0 of the privacy resource paper. I misspoke when I said this was a customizable set of policies and procedures--it is, instead, a review of the privacy requirements, translating most of them into plain English, with discussion of issues to take into account in drafting policies and procedures and suggestions of things to include in policies and procedures.
Linda Posted December 10, 2002 Posted December 10, 2002 WEDI SNIP has an employer workgroup that deals with HIPAA’s application to employer sponsored group health plan. The workgroup had some discussions on P&Ps for a GHP a month or so ago, but did not have the volunteers to draft samples at that time. Still, just the discussion of the scope of what is needed can be helpful. It is also my understanding that the ABA Health Law Section may be putting together a forum to discuss HIPAA implementation issues facing group health plans. This might be another forum to discuss HIPAA P&Ps for a GHP.
Guest BenefitsLawyer Posted December 10, 2002 Posted December 10, 2002 Linda-- In the Preamble to the final regs, HHS said that the certification that is required by .504(f) is intended to make life easier for insurers and HMOs, by limiting their obligation before disclosing PHI to the plan sponsor to asking for a copy of the sponsor's certification. 65 Fed. Reg. 82508 (12/28/00). I think the same applies to a TPA for a self-funded plan--upon receipt of the sponsor's certification, the TPA may disclose PHI to the sponsor. Your analysis of the relationships among the plan, the sponsor, and the TPA are right on the mark. However, as to whether the plan has anyone to sign the agreement with the TPA, when the plan is just a document and has no employees of its own, I think HHS's idea is that the sponsor designates one or more of its employees as having plan administration responsibilities--that's part of the adequate separation requirement under .504(f). Then, those designated employees are the people who are permitted to receive PHI from the plan (really, from the TPA). And, by extension, those are the people who can act for the plan including, if the sponsor gives them the authority, to sign an agreement with a TPA on behalf of the plan.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now