Help? BA agreement needed for COBRA Admin Services for a fully-insured plan/plan sponsor

[Guest aprunty]

Hoping someone can help me out. I've reviewed as much of the regs as I possibly can and I continue to be at a loss on this issue.

Scenario:

We have a fully-insured medical plan via a local insurance carrier.

We also have a contract with a COBRA administrator, who handles all COBRA roles/responsibilities associated with that same fully-insured medical plan.

While we receive no PHI from the fully-insured carrier and thus are out of the loop for most of HIPAA Privacy Requirements, our COBRA administrator is saying that the employer/plan needs to have a signed business associate agreement between us --the employer/covered entity (they are saying) and our COBRA administrator (business associate).

I just don't see where this is required?? If it were, that could mean that we are on the hook for coming into compliance with all HIPAA Privacy Rules by signing the BA agreement as a covered entity.

[Guest FormsRmylife]

The employer is not the covered entity, the group health plan is. The COBRA administrator must contract with the plan (not the employer) to promise to observe all the HIPAA privacy rules. The employer is making no privacy promises as long as the employer does not sign as itself. An officer of the employer needs to sign as the Plan's authorized representative, not as the employer's representative.

[Kirk Maldonado]

Similar discussion:

http://benefitslink.com/boards/index.php?s...=15entry88388