Mandatory HIPAA Training

[Guest Bene]

Hello, all. Some of my colleagues are telling me that I'm going way overboard with mandatory HIPAA training. We have self-funded plans and have been considering enrollment and dis-enrollment data to be PHI to the point that we're requiring our IT employees and payroll employees to complete the mandatory trainings. The only data that these people see are participants' plan elections and the resulting payroll deductions--nothing more.

Are we going overboard? What are you doing? Thanks!

[J Simmons]

So all the IT/payroll guys would know is that EE A might choose a richer health coverage and more health flex account than EE B. Is that PHI? IT/payroll guys might conclude EE A is not as healthy as EE B. If EE A and EE B themselves work in the IT/payroll departments, this attenuated bit of into might be factored in an employment decision, such as whether they are promoted, let go, or get a raise (and how much). Personally identifiable information? Yes. Health information? I don't think so.

I'm no expert on the definition of PHI but I think that's reaching, or as your colleagues suggested, way overboard.

[Guest d.curtis1]

Under HIPAA, PHI is defined in the following words: "A “designated record set” means and includes (i) the medical records and billing records about an individual maintained by or for a covered health care provider; (ii) enrollment, payment, billing, claims adjudication and case or medical management record systems maintained by or for a group health plan; or (iii) other information used in whole or in part by or for the group health plan to make decisions about an individual.”

Since (ii) starts off wtih "enrollment", I interpret it to include whether an individual is enrolled or not. That means anyone having access to knowledge as to the enrollment (NOT eligibility) status is dealing with PHI. I think it is better to err on the side of caution and have the IT people with access go through the training and sign the certification that they understand and have been trained regarding the disclosure and use of PHI. If you get audited or if you have to defend a claim you will be the one responsible for having properly executed the requirements - not the folks who don't want to do the training!

So far, the only thing our ERISA counsel has agreed is not PHI is whether an employee is "eligible to enroll". Only enrollment and/or dis-enrollment info is not protected.

Hope this helps.

dc

[Guest parrot87]

I have a question based on the reply of the provided definition.

One of our clients is providing Medicare Part B premium reimbursement because there was a mix up in the plan election for their retirees due to the carrier's network losing a hospital network. It is a fully insured retiree health insurance plan with about 400 enrollees.

Now as part of the reimbursement, the group extended this reimbursement for up to 5 years, even if you retired before this plan changing incident. So for example, if an employee retired 3 years ago, they have 2 years of reimbursement left.

Keeping track of everything is becoming a problem. First, we don't know when employees retire and they call our office irrate that they haven't recieved their check. second, we do not know when each retiree enrolled into the retiree plan and are providing reimbursement to retirees beyond the 5 year window (some honest folks have called to notify that they are ineligible for the reimbursement). The carrier refuses to divulge this information citing Hippa. They did however provide this information once in February, but will not provide updates.

Thats enough for starters, but any ideas how to gain consistent access to such information to make this plan run more smoothly without having to put more work on the HR director?

[GBurns]

Assuming that this is PHI under HIPAA etc.

The insurer citing HIPAA is meaningless, without citing why and a solution. The solution is simply that the Plan Sponsor dictates that they must provide you with the required information because they have employed you as a service provider for their group health plan. The insurer then has you sign their standard Business Associate Agreement. Nothing new or unusual. It could be that the person you are in contact with is at too low a level to have a valid opinion which you should not have accepted anyhow.

In a few cases where I have had difficulty or I just could not bother to explain, I simply had the state's Dept of Insurance cite their Unfair Business Practices (or similar) regulations.