Is a cafeteria plan a group health plan for purposes of the HIPAA Privacy Rule?

[Guest Kaister]

My company provides a cafeteria plan for employees. The cafeteria plan provides the following separate benefits: a group health plan with Blue Cross, a self-insured dental plan, a fully-insured vision plan, and a self-funded health FSA. All of the individual health plans in the cafeteria plan have "receipts" less than $5 million which means we have until April 14, 2004 to comply with the HIPAA Privacy Rule.

I would like to know if we could just amend the cafeteria plan document agreeing that the plan sponsor will comply with HIPAA; OR do we have to amend all of the plan documents of the individual group health plans in the cafeteria plan?

Thanks!

[Guest RedShoes]

I'd be interested to know the answer to this question. I am the process of doing the same and was under the assumption that I should amend each plan document in addition to the cafeteria plan.

[401 Chaos]

I'm not a HIPAA expert but I wouldn't think you could simply amend a true cafeteria plan document to provide required HIPAA provisions for all component health plans. A cafeteria plan itself really isn't an ERISA employee welfare benefit plan nor would I think subject to the HIPAA Privacy Rule itself--it's really the individual component plans that are covered. I understand some plan sponsors have adopted a "Wrap Plan" document which essentially consolidates all of the various welfare benefit plans into a single ERISA welfare benefit plan for Form 5500 purposes. The plan sponsor then adopts required HIPAA amendment applicable to the covered health plans included in the Wrap document. There are also other combination techniques that may come into play such as ACEs and OCHAs depending on the particular facts.

[Guest Kaister]

Thanks for your responses. Upon further research, I found this question posed on the HHS Office for Civil Rights website:

"Is a flexible spending account or a cafeteria plan a covered entity for purposes of the Privacy Rule and the other HIPAA, Title II, Administrative Simplification standards?"

The answer follows: "A "group health plan" is a covered entity under the Privacy Rule and the other HIPAA, Title II, Administrative Simplification standards. A "group health plan" is defined as an "employee welfare benefit plan," as that term is defined by the Employee Retirement Income Security Act (ERISA), to the extent that the plan provides medical care. See 42 USC § 1320d(5)(A) and 45 CFR 160.103. Thus, to the extent that a flexible spending account or a cafeteria plan meets the definition of an employee welfare benefit plan under ERISA and pays for medical care, it is a group health plan, unless it has fewer than 50 participants and is self-administered. Employee welfare benefit plans with fewer than 50 participants and that are self- administered are not group health plans. Flexible spending accounts and cafeteria plans are not excluded from the definition of "health plan" as excepted benefits. See 45 CFR 160.103, paragraph (2)(i) of the definition of "health plan."

Based on the foregoing and because my company's cafeteria plan includes group health plans (ex., employee welfare benefit plans with more than 50 participants), I would think that our cafeteria plan is, in and of itself, a covered entity subject to the HIPAA Privacy Rule. Extrapolating from there, I am hoping that we can just amend the cafeteria plan document without having to amend the health plans in the cafeteria plan. The only downside is that, by doing so, all of the health plans will be subject to the full HIPAA Privacy Rule requirements even though two plans are fully insured and do not receive PHI. I'm okay with this though because our two other plans are self-insured, and we have to implement policies and procedures and satisfy all of the HIPAA administrative requirements for them anyway.

We also have non-health care components in the cafeteria plan such as a dependent care FSA and life insurance benefits. I intend to designate the cafeteria plan a hybrid entity so that these components are not covered by HIPAA.

In any event, based on the HHS/OCR FAQ, do you think amending only the cafeteria plan document is sufficient?

I'm not trying to get out of doing more work here by not amending all of the group health plans' documents. We just don't have the actual plan documents (they reside with the health insurer), so as a practical manner, I'm not sure how to amend documents that I don't physically have. Has anyone come across this problem? If so, how have you resolved it?

[401 Chaos]

Kaister,

Thanks, I have seen that GHP definition and I still take exception to the point that a cafeteria plan itself might be considered an employee welfare benefit plan under ERISA even if it includes options for group health plans, health FSAs, etc. If the cafeteria plan is drafted so that the health FSA provisions are included in the same plan document as the regular cafe plan features, then that is a dfferent story but it has always been my understanding that a cafeteria plan alone is more in the nature of a fringe benefit plan subject to IRS regulation versus an employee welfare benefit plan under ERISA. Do you currently file a Form 5500 for the cafeteria plan? Do you file separate 5500s for the other plans? Perhaps the cafeteria plan you have basically serves as a wrap plan for consolidating all the various ERISA plans. I guess it is largely a matter of semantics but I find it frustrating to keep getting HIPAA Privacy guidance that confuses general ERISA classifications without more explanation.

[Guest AHayhow]

So, do these changes mean that if we are an FSA Administrator and we deny a claim based on medical necessity and the participant appeals that claim, that we have to contact a medical professional to review that claim before we can completely deny it? For instance, we had a person submit a claim for liposuction, we denied it as cosmetic, they responded by saying that it was medically necessary because they had knee problems from being overweight. Is our next step to have a doctor review this claim?

According to the steps outlined in the HIPAA guidelines review of adverse determinations involving medical judgement require review by independent health care professionals with expertise and training in a field related to the medical judgement.