HIPAA privacy for full-insured health plans

[Guest many?s]

I know that the health PLAN is the covered entity and not the employer, although the employer sponsors the plan. I also know that if the employer has no access to PHI other than summary health information and enrollment information that it avoids the privacy requirements under HIPAA and the insurer of the fully-insurer plan has to deal with it.

However, what does this mean in "real life"? The employers we work with definitely want to go the hand-off approach, but yet have copies of the enrollment forms in their files, which contain PHI. Do they have to go through all the Privacy rules in order to keep the PHI in their files? My impression is the as long as the INSURER doesn't provide anything outside of summary health information and enrollment info, but this is PHI that the employer has in their files for the health plan, acting as the plan sponsor.

What steps should the employer take? Full out Privacy rules or something as minimal as locked files for the enrollment forms?

Many?s

[Steve72]

What PHI is contained in the enrollment forms? Enrollment information itself is not considered PHI when held by the employer.

You should also look at issues such as customer service, to determine whether insurance company representatives are disclosing PHI to your employees who call on behalf of participants. Absent modification, this practice is probably a "use or disclosure beyond SHI or enrollment/eligibility information" that would eliminate the exemption from the administrative requirements.

You've really got to review your current practices to make sure no PHI is slipping through the cracks. Most employers are truly amazed when they discover what information is really coming and going from their benefits department.

[Guest many?s]

<>

Here is a question that is on an enrollment form with the answer being PHI (IMO): Within the last 24 months have you or any dependents to be covered consulted, received treatment, had medication

prescribed by a doctor, psychiatrist, psychologist, or other practitioner or been diagnosed for: cancer, stroke,

diabetes, heart or vascular disease, mental or emotional disorder, muscular or systemic disease (including, but not

limited to arthritis, lupus), alcohol or drug use, liver, kidney, lung or intestinal disorder (except genetic testing

results), enlarged lymph nodes, or other immune system disorder (except AIDS/HIV testing results), infertility,

transplant (recommended, pending or completed), growth disorder or have medical claims in excess of $5,000?

While the answers to the above question would be PHI, it is also part of enrollment information. My info says that a fully funded group health plans that does not share PHI with the plan sponsor (employer) and receive only summary and enrollment information, are exempt from the administrative privacy requirements. The thing is, is that the PHI enrollment info is not coming from the health plan to the plan sponsor, but vice-versa in the enrollment process.

Even if the PHI on the enrollment forms is exempt from all the admin requirements (designate privacy officer, etc.), I relize that sponsors still cannot use/disclose PHI in a manner that violates the Privacy rules.

So if I'm understanding this all correctly (and I think I have just enough info to be dangerous), the enrollment form PHI that employers keep does not make the employer subject to all the Privacy admin requirements, but they should still take precautions to protect the enrollment forms from unecessary viewing because they do contain PHI.

The carriers in our area appear to be VERY protective of PHI in the customer serivce arena and we will be advising that a release needs to be obtained from the plan participant by the employer to perform CS functions.

Anthing I'm missing? Agree? Totally off base?

Many?s

[GBurns]

many?s

What you have stated sounds more like the application form rather than the enrollment form. Those questions have to bearing on enrollment.

The employer should never have a copy of the application.

Since sounds like this is a very small group (under 50 lives) there should also be some state Small Group Laws that are also applicable in this PHI situation. Have you checked?

[Steve72]

I agree with GBurns. Is there a reason you are maintaining this form as part of the employee file? Is there any reason you need the information? If not, it's better to change your current practice than to try to comply with HIPAA's requirements.

[Guest many?s]

The apps/enrollment forms are not part of the employee file, but rather part of the employer's file on the health plan.

The application and the enrollment form are the same form. If EE is simply enrolling, then they do not answer the health questions.

Employer likes to keep enrollment forms, apps, term forms, adds, etc so there is a paper trail in case of problems with the carrier losing the form, claiming there was no timely receipt, etc. If the employer no longer keeps forms to comply with COBRA, any problems with the broker keeping copies as long as broker has Business Associate Agreement with the health plan?

Not aware of any state issues, but will check on that.

[GBurns]

It does not make any difference whether this form is in an employee or an employer file. The employer should not have a copy of the enrollment form.

If the employee is "not enrolling" Why would they need to answer any questions at all??????

Enrollment forms have no need for medical questions. I think that you might have the forms mixed up or something but your forms do not seem right. I do not know of any state that has approved a form such as the one that you have described.

The "broker" as a licensed insurance agent is required by most states to keep a copy of many forms including (in most cases) a copy of the application. Under no circumstances is this the employer's business.

If this employer keeps a copy of this form with medical questions, I think that they need some serious legal advice re HIPAA, general privacy and state insurance law.

[Guest carsca]

On a related point, what if a fully insured plan's enrollment form requires information of the employee's designated primary physician? Is this form now something other than "enrollment information"? And if it is, does the employer now have to implement firewalls, amend documents, etc.?