French Posted July 10, 2003 Posted July 10, 2003 We maintain several self-insured health plans (medical, dental, FSA and EAP) but only one plan met the $5m threshold - our medical plan. We sent the privacy notice to all active employees eligible to particpate or participating in the health plans and to former employees participating in the health plans. The notice was not specific to the medical plan. Question: An employee who waived medical coverage (in a fully insured plan) and dental coverage (in our self-insured plan) in 2000 has requested access to his PHI. What are our obligations? Question: Should we change our privacy notice to be specific to the medical plan? Thanks.
Jbentz Posted July 10, 2003 Posted July 10, 2003 Your obligations are really going to depend on your state laws also, because most states had access laws before HIPAA. Since the other plans under the five million mark still must comply by April 14, 2004, where your intentions to have your notice all of your plans or just your medical plan? Are you going to issue different notices for the others, or use the same one? What is the wording in your NPP now? Is your issue in getting and retrieving the records that the employer has requested, or in giving the employer access to the records?
Steve72 Posted July 10, 2003 Posted July 10, 2003 "Question: An employee who waived medical coverage (in a fully insured plan) and dental coverage (in our self-insured plan) in 2000 has requested access to his PHI. What are our obligations?" What PHI does the plan maintain regarding this individual? Was he enrolled in the plan prior to 2000?
mroberts Posted July 10, 2003 Posted July 10, 2003 That's what I was thinking. Unless this employee somehow got amnesia and he can't remember his address or social security number, what's he looking for?
Jbentz Posted July 11, 2003 Posted July 11, 2003 My thought was that he was a covered individual before he waived coverage, so he woudl have PHI before 2000. That is what i get for thinking and assuming!
mroberts Posted July 11, 2003 Posted July 11, 2003 I think people are making this whole HIPAA thing harder than it has to be. If I am interpreting the post correctly it sounds like the HIPAA notice is what prompted this employee's request. If the employee wants data from claims he incurred back before 2000 why wouldn't he just call the insurance company and get it? Better yet, why does he even want it?
Guest kowen Posted July 11, 2003 Posted July 11, 2003 You may want to try drafting standard forms for reqests for access and other privacy rights to help narrow down the scope of requests to claim numbers, dates of services, etc.. The joint notice should be fine as long as your policies document that the plans will issue joint notices.
GBurns Posted July 12, 2003 Posted July 12, 2003 I saw a few such requests recently. ALL turned out to that the employees wanted to see if there was any info at all, Name address, anything. George D. Burns Cost Reduction Strategies Burns and Associates, Inc www.costreductionstrategies.com(under construction) www.employeebenefitsstrategies.com(under construction)
French Posted July 14, 2003 Author Posted July 14, 2003 Appreciate all the comments. Re: the question about PHI, as an employer with several self-insured plans, several ASO providers, and an internal Benefits Service Center, we have been the recipient of occasional PHI due to claims issues. In addition, if I understand the PHI definition, it would also include enrollment/disenrollment information which we maintain in a separate benefits file. Re: this person's request, I would agree with mroberts and GBurns in that it was prompted by the HIPAA notice and that he probably only wants to see if there is any info about him anywhere in a file. In the end, we are of the belief that with the exception of the enrollment/disenrollment paperwork on file, there is no PHI being maintained since he is not a current member of any one of our self-insured plans. We intend to direct him to his current provider(s) and his prior fully insured health plan carrier. My one concern was our EAP, but in that case we determined that we should send him to that vendor also. Any other comments?
Guest kowen Posted July 14, 2003 Posted July 14, 2003 In a self insured plan, the plan, not the ASO provider is the covered entity and is responsible for responding to requests to exercise individuals' rights under the privacy regs. You should have business associate aggreements with all TPAs and other vendors who use the plan's PHI. The aggreements should require the TPA to turn over PHI to the plan in order to fullfill its obligations to provide access, accounting of disclosures, etc. Also, you should have specific benefits staff that is designated as the plan's workforce so there is no confusion about whether the PHI is being handled by the plan or the employer.
French Posted July 14, 2003 Author Posted July 14, 2003 Kowen, based on your comments, I think we are okay. We do have business associate agreements in place with our ASO provider and another vendor for our self-insured medical plan and are working on completing agreements for those self-insured plans which become effective on 4/14/04. Additionally, we have a designated workforce (our customer service reps and benefits staff) which has been trained with regards to the HIPAA regs. Again, to go back to my initial post, my concern with the employee's request was whether or not any information (no matter who supplied it) needed to be provided since he is not a member of any of our plans currently subject to the HIPAA regs. If the employee had been a current member of our self-insured medical plan, the answer would have been simple. On behalf of the plan, the information would have been requested of the ASO provider. Again, with respect to my initial post, should we amend the notice so that it references our self-insured medical plan and not all plans? The specific language in the notice says "We are issuing this privacy notice to all those who are or are eligible to become members in any of XXXXX self-insured health plans." My understanding is that we were not planning on issuing another notice next year for those plans complying as of 4/14/04.
Guest kowen Posted July 15, 2003 Posted July 15, 2003 I'm not sure I fully understand the question. If the EE is not currently a participant, why did he get the notice? Was he ever enrolled? If the plan is possesion of any PHI about him, he is entitled to inspect/copy it for as long as it is in the plan's possession, whether he is currently a participant or when the PHI was received or created by the plan. Joint notices should specifically identify each individual plan that is covered by the notice.
French Posted July 16, 2003 Author Posted July 16, 2003 Let me try and answer the questions so that it makes more sense. 1. The EE received the notice because it was sent to all "benefits eligible" employees, specifically to cover ourselves due to our EAP. From what I can tell from his records, he is not and has not been a participant in our self-insured medical plan or FSA but was a participant in our self-insured dental plan until 2000. With the exception of the enrollment/disenrollment paperwork in his benefit file, all other PHI for the dental plan would be with our ASO provider. If he is or has been a participant in our EAP, PHI would be with our vendor. 2. According to our legal dept., the privacy notice was intended to cover all of our self-insured plans (the one subject to the 4/14/03 date and those subject to the 4/14/04 date). It did not specify each individual plan and realistically only one plan - medical - is valid. When I asked our legal dept. what to do if an EE requested access to PHI for any of the other plans (even though not subject until 4/14/04), the answer was to comply with the request. I hope that the above information clarifies the situation a little bit more. These answers lead me back to my questions: 1. Since the EE is not and has not been a participant in our self-insured medical plan which is the only one of our plans subject to the 4/14/03 date, that plan has no PHI for him. However since the notice does not specify the plan, are our other plans required to provide access now? We do not have BAAs in place with our other ASO providers yet. 2. Should I ask the legal dept. to update the notice so that it is specific to the one plan required to comply with the 4/14/093 date? I'm thinking that their decision to simplify the communication has actually made it more complicated. Thanks.
Guest kowen Posted July 16, 2003 Posted July 16, 2003 I would first ask the EE if there is anything in particular he is looking for. I would also forward the request to your ASO provider. Even though your BAA is not in place yet, they should accomodate the EE's request as a courtesy. I agree with your legal dept. that the 4/14/04 should comply with requests since the notice seems to imply that it covers those plans too. You probably don't absolutely have to revise your notice, but it might be a good idea to include the names of the plans. Sec 164.520(d) states that the notice meets the requirements if it "Describes with reasonble specificity the covered entities, or class of covered entities, to which the joint notice applies." Remember, the notice must also be distributed to new enrollees at the time of enrollment.
French Posted July 17, 2003 Author Posted July 17, 2003 Thanks for all the comments concerning this topic. I've learned a little bit more and hopefully some of the other users have too.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now