French Posted May 19, 2003 Posted May 19, 2003 We received a request from an employee who wants to inspect and copy the health information contained in his designated record set. Does anyone have a definition of the term designated record set? Is this information we have collected prior to or after April 14th? At this point in time, he is only a participant in our self-insured EAP but was previously a participant in the other "health" plans 2 years ago. Thanks.
GBurns Posted May 19, 2003 Posted May 19, 2003 Go to this HHS link, click on "Your Frequently Asked questions ...." then do a search for deignated record set and you will get the best answer: http://www.hhs.gov/ocr/hipaa/ IMHO, it is any and all information that is used in making any and all decisions regarding claims and health plan participation. Are you a covered entity or a business associate of the Plan? From your post I get the feeling that you might be the employer, if that is so then you should not have the information, if you do I suggest that you seek legal advice regarding your possession of PHI. Although you are self insured, you are the employer, you are NOT the Plan. George D. Burns Cost Reduction Strategies Burns and Associates, Inc www.costreductionstrategies.com(under construction) www.employeebenefitsstrategies.com(under construction)
Steve72 Posted May 20, 2003 Posted May 20, 2003 I agree with the first part of GBurs post, however, I want to get some clarification on the second part. GBurns, you state "Although you are self insured, you are the employer, you are NOT the Plan. " Are you saying that it is not possible for an individual to act both as the employer and the plan? If so, I strongly disagree. Employees of the employer, acting in their plan function, may have access to PHI, particularly in a self-funded environment.
GBurns Posted May 20, 2003 Posted May 20, 2003 Steve72, You can act as a father and act as a husband at the same time, that does not make both things be the same. You can own all the stock in a company and still be Director and employee, Again, doing two things do not make the things the same. You own all the stock and you are not the Company even if you are the sole Shareholder and sole Director and even sole employee, that is why the company has to have its own FEIN and bank account etc, TWO separate entities. ERISA (and HIPAA) state " TITLE 29--LABOR CHAPTER 18--EMPLOYEE RETIREMENT INCOME SECURITY PROGRAM SUBCHAPTER I--PROTECTION OF EMPLOYEE BENEFIT RIGHTS Subtitle A--General Provisions Sec. 1002. Definitions For purposes of this subchapter: (1) The terms ``employee welfare benefit plan'' and ``welfare plan'' mean any plan, fund, or program which was heretofore or is hereafter established or maintained by an employer or by an employee organization, or by both, to the extent that such plan, fund, or program was established or is maintained for the purpose of providing for its participants or their beneficiaries, through the purchase of insurance or otherwise, (A) medical, surgical, or hospital care or benefits, or benefits in the event of sickness, accident, disability, death or unemployment, or vacation benefits, apprenticeship or other training programs, or day care centers, scholarship funds, or prepaid legal services, or (B) any benefit described in section 186© of this title (other than pensions on retirement or death, and insurance to provide such pensions). The fact that a plan is "established or maintained by an employer" simply means that it is a separate entity. That is why under HIPAA the plan is the "covered entity" but the employer sponsoring the plan is not. Two separate and distict entities. The fact that some employees of the sponsor will have access to PHI still has nothing to do with the issue. Read the HIPAA Q&A and the very many legal opinions that have been written about the need for a Business Associate Agreement to cover such handling.. George D. Burns Cost Reduction Strategies Burns and Associates, Inc www.costreductionstrategies.com(under construction) www.employeebenefitsstrategies.com(under construction)
Steve72 Posted May 20, 2003 Posted May 20, 2003 Thanks, I've read them. What I am taking issue with is your statement: " From your post I get the feeling that you might be the employer, if that is so then you should not have the information, if you do I suggest that you seek legal advice regarding your possession of PHI. Although you are self insured, you are the employer, you are NOT the Plan. " Even if French is (for example)HR director at the employer, there is nothing preventing him or her from also performing a plan function. If (s)he is doing so, (s)he will have access to PHI. I am not sure what your reference to a Business Associate Agreement means. The employer/plan relationship is explicitly NOT a business associate relationship. There is no agreement required (other than the plan amendment). There will be a business associate agreement with the TPA, which COULD contractually take over the responsibility to provide access to the designated record set, but nothing in French's post indicates that that is the case.
GBurns Posted May 20, 2003 Posted May 20, 2003 The employee requested their "designated record set". A "designated record set" is the information used to make coverage limits and claims adjudication descisions etc. No employer has need or use for this info and both state privacy laws and HIPAA prohibit this. An employee of the plan sponsor/employer will have some PHI such as enrollment info but not this. Plan functions performed by employees of a plan sponsor or employer do not include coverage limits and claims adjudication and they would therefore have no need for the info in the "designated record set". George D. Burns Cost Reduction Strategies Burns and Associates, Inc www.costreductionstrategies.com(under construction) www.employeebenefitsstrategies.com(under construction)
Steve72 Posted May 21, 2003 Posted May 21, 2003 >>>A "designated record set" is the information used to make coverage limits and claims adjudication descisions etc.<<< and >>>An employee of the plan sponsor/employer will have some PHI such as enrollment info but not this.<<< Not exactly. If you look at the definition of DRS in the regs, enrollment information an also constitute a DRS. Also, any set of information that is used "by a covered entity to make decisions about individuals" is included in the definition. Are you telling me that a plan (not the TPA) can't hold any information that would meet this definition? >>>An employee of the plan sponsor/employer will have some PHI such as enrollment info but not this. Plan functions performed by employees of a plan sponsor or employer do not include coverage limits and claims adjudication and they would therefore have no need for the info in the "designated record set".<<< Even assuming that the DRS in question does not involve enrollment informatin, I still don't think these statements are always correct. It depends on the employer/plan sponsor. I have clients who wish to continue to perform this function, and are able do so within the requirements of HIPAA. It's not possible to set out a blanket statement that employer representatives should not have access to certain PHI. The employer plan is its own entity for purposes of HIPAA. The TPA is not the plan. Neither is the employer, of course, but employer personnel will act on behalf of the plan, and will have access to PHI as a result. There are many ways in which an employer/plan sponsor can comply with HIPAA's rules. Employer/plan sponsors who wish to continue to have a "hands on" role with their plan have more to worry about from a compliance perspective, but for some it is worth it.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now