Guest Alley Posted October 14, 2002 Posted October 14, 2002 Does anyone have an opinion as to whether each participating member/employer in a MEWA has to become fully HIPAA privacy compliant with a privacy officer, etc.? Assume that the MEWA becomes fully HIPAA privacy compliant. Assume that the participating employers do not have access to PHI unless they get it from the MEWA. Assume that the employers won't do that unless they are trying to help an employee or beneficiary pursue a claim, and in that instance, a consent will be obtained from the person whose claim is at issue. Does each employer have to adopt a privacy policy, appoint a privacy officer, etc., etc. under these circumstances?
Guest BenefitsLawyer Posted October 14, 2002 Posted October 14, 2002 One of my colleagues told me that trying to explain anything about a MEWA is like trying to explain the Holy Trinity. So, with that caveat . . . . The definition of "health plan" for HIPAA privacy includes a provision that seems specifically designed to make MEWAs health plans for HIPAA privacy purposes. So, the MEWA must comply. In addition, each employer that participates in the MEWA is sponsoring its own separate group health plan. HIPAA privacy applies to group health plans, except those that have fewer than 50 participants AND are administered entirely in-house. If the employer's plan is part of a MEWA, it's not being administered entirely in-house. Therefore, I believe that each separate employer's plan within the MEWA has to comply with HIPAA privacy. Depending on how the MEWA is "funded" (i.e., fully insured or self-funded), the lessened compliance obligations that apply to certain fully-insured plans may apply, but even for those plans, there are compliance obligations.
GBurns Posted October 16, 2002 Posted October 16, 2002 Does North Carolina or the state/states of domicile of these employers allow MEWAs? George D. Burns Cost Reduction Strategies Burns and Associates, Inc www.costreductionstrategies.com(under construction) www.employeebenefitsstrategies.com(under construction)
Guest Alley Posted October 16, 2002 Posted October 16, 2002 Yes, North Carolina state law allows MEWAs. They are heavily regulated by the NC Dept of Insurance. The MEWA is self-funded, with stop-loss insurance, and it is administered by a third party administrator. It seems that the employers participating in the MEWA are for the most part in the same situation as employers who simply purchase a fully insured plan because they do not actually do any of the administrative functions. However, obviously, the plan is not fully insured, and it is administered by someone other than the employer. So, I am concerned that the exceptions which do not require full HIPAA privacy compliance do not apply. I have called the Department of Health & Human Services HIPAA Privacy Line but have received no call back to date.
Guest ERISAcatNraleigh Posted June 11, 2004 Posted June 11, 2004 According to some, if the Association maintaining the MEWA is an "employer" as defined in ERISA Section 3(5), the Association is responsible for complying with HIPAA Privacy at the Association level - and not at the level of each of its members. See ERISA Opinion Letter 2001-04A for more information on whether the Association is an "employer" for purposes of ERISA Section 3(5).
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now