Premium Only Plan and HIPAA

[Guest jcrawford24]

Just hoping to get thoughts on whether a premium only cafeteria plan is subject to the HIPAA privacy rules. Thanks in advance.

[leevena]

A benefit plan is not subject to privacy rules, it is the information collected that is subject. So, if you have collected this information (name, ss#, etc.) than it is subject.

[J2D2]

My understanding is that a premium-only plan or POP simply acts as a conduit for premium payments and does not provide any benefits. If that is the case, the POP is not a covered entity under HIPAA because it is not a health plan. Of course, if you add FSA provisions, you are subject to HIPAA. But, if you have a true POP that is simply a means of allowing participants to pay premiums on a pre-tax basis, I don't believe you have to worry about HIPAA.

[leevena]

J2D2...even if the employer has a pop only plan, the employer is still collecting data that is subject to privacy. Don't know the answer to my question, but wouldn't that info still be subject to the law?

[J2D2]

leevana, my understanding is that HIPAA applies to "covered entities" not information. A POP is not a health plan, so it is not a covered entity. The sponsoring employer (unless it is a health care provider, ie hospital, doctor, etc., or a health care clearinghouse) is not a covered entity. HIPAA applies to covered entities and restricts their use of protected health information. No covered entity, no HIPAA issue.

Even though it does not appear that HIPAA applies in this situation, there may be other privacy laws that apply.

[Guest jcrawford24]

Thanks to all for your helpful responses. My understanding was that HIPAA privacy and security rules apply to covered entities, not just based on the information (otherwise, workers comp, for example, would be covered, and it is not). I knew that health care FSAs were covered, unless under 50 and self-administered. I was not clear about premium only plans but now am. Thanks again!

[leevena]

J2D2, you are partially correct. It applies to covered entities (such as carriers) but also to business associates (such as agents, tpa's, etc.) and employers and other sponsors of group health plans. The overall issue is for all of these categories is that all Protected Health Information that is collected, must be protected.

So whether it is an employer or a tpa, that data must be protected.

[J2D2]

leevena, I agree with you, in part. I neglected to mention business associates in my post and I agree that a BA is subject to the same HIPAA requirements as the covered entity to which it provides services. Also, I cannnot, offhand, think of a situation where a TPA would not be a BA. However, an employer, with the qualifications noted in my earlier post, is not a covered entity. Unless the regs or statute have changed since I last looked the sponsor of a health plan, i.e. an employer, is not a covered entity.

[leevena]

Well maybe I am confused by the original posting. He said that the employer had a premium only cafeteria plan. To me that assumes the employer is offering a medical plan (or plans) with a POP, and no FSA. There may or may not be other benefits, such as DI, Life, etc.

So assuming there is a medical plan with the POP, then the employer is subject to HIPPA. While the regs do not directly address the employer, it does through group health plans and plan sponsors. So if the employer offers a medical plan, they are now part of the process.

[Guest jcrawford24]

Did not intend to confuse with my posting. Yes, the employer sponsors a medical plan, the premiums for which are run through the premium only plan. No FSA. Certainly the medical plan itself is a "health plan" as defined by HIPAA and thus a covered entity. I was trying to confirm that the premium only feature of the cafeteria plan was not subject to HIPAA privacy and security. Hope that clears things up.

[leevena]

JCrawford24--thanks for the clarification. You are right, the pop is not covered, and the medical plan is covered. By the way, is this JCrawford from Escondido?

[Guest jcrawford24]

Great! No, it's not. Although I think Escondido is in California, and that sounds good right now!