HIPAA privacy and benefit statements

[Guest marie567]

How does HIPAA privacy regs affect individual employee benefit statements? We're removing all data such as date of birth, dependent info, and considering removing the employee's name from the statement.

Is listing an employee's health plan and employee contribution for health benefits individually identifiable info? I don't think so, but want to check.

Do you see any other problems with employee benefit statements and HIPAA privacy?

[Jbentz]

Are you a Covered Entity? I think you need to take a step back and start there. If you have a health plan and the health plan is a covered enitity, then decide WHO is sending the statement. If it is not from the covered entity, rather from the employer's HR department, WHAT are you sending? Is it truly Inidividually Identifiable Health Information? Then look at WHY you are sending it, and finally to WHOM. Even if you are the Covered Entity, and it is IIHI, but you are sending it the person it pertains to, i still think you are ok. The dependent info is a little if-y, depending on what it is. but if my employer is sending me a statement to let me know what benefits i currently have, i don't see that that is a problem.

Anyone else?

[Steve72]

You can always disclose PHI to the individual to whom it pertains.

If you are transmitting benefit statements that pertain to an individual employee to that employee, there should be no HIPAA implications (other than the fact that you should use appropriate safeguards to prevent the unnecessary disclosure of the information).

How are you going to determine to whom to send the benefit statement if you remove all identifiers?

[Guest marie567]

the statement would have most identifiers removed. Thanks for reminder that it's okay to send PHI to the individual involved and that it's the employer sending the statement, not the health plan.

There probably isn't a problem with benefit statements. Now I realize the issue may be more of communications not compliance.

I just think the less individual information like date of birth, dependent info we put on the statement the better. I think people are concerned about what gets sent through the mail.

I'm still learning new HIPAA rules - - would appreciate any comments on perception by employees on privacy regs versus sending a benefit statement with private information in it. Will they understand the difference?