HIPAA, HRA and privacy notices

[mariemonroe]

Employer has a HDHP and provides a self insured HRA administered by a TPA.

Employer has a business associate contract with TPA.

If employer required to send out a HIPAA Notice of Privacy Practices to HRA participants even though employer does not receive PHI related to HRA?

 

 

[Peter Gulia]

Along with considering other points of law and each person getting its lawyer's advice, one might revisit an assumption that the employer never receives protected health information.

For the non-insured health-reimbursement arrangement, does the employer (perhaps in a role as the plan's administrator or other named fiduciary) have a legal right or power to overrule the third-party administrator's claims-processing decision?  If so, how does such a decision-maker or reviewer evaluate a claim without at least receiving protected health information?

And which person engaged the TPA service provider?  Is that person a fiduciary?  What information does the person consider to evaluate whether it remains prudent to continue the TPA's engagement?

 

[leevena]

Peter is correct.  Highly unlikely the employer does not have PHI.

Self funding and privacy notices are tough, but the employer is a covered entity and is required to send the notice.