As the MGU that is also my understanding (Lindsay & Rachel). In the
claims area we handle claims processing (claimant information, claim
research, approval/denial, check writing, etc.) for Brokers or TPAs whom
are not capable of processing. Therefore I presume we would have to follow
HIPAA for Privacy, Security & EDI Transactions.
In the Contract Admin area, we receive Employer/employee information all
pertaining to processing Plan Documentation, Census info, etc and the
Underwriting process -- all items which are Privacy, Security & Transaction
items.
>From all that we know we need to be HIPAA compliant. Our Carriers
currently have no requirements for us. We simply sell their risk to the
HealthPlan( Employer). Most of our TPAs/Brokers all seem to be holding out
hoping HIPAA falls through the cracks. We plan on having it, though it may
be sitting for awhile unused.
Also, most of our correspondence is via [a] paper (mail, fax, etc.), [2]
email & [3] phone. We currently have no EDI (per definition) with anyone,
though we have electronic transfers of data (such as Excel spreadsheets).
I believe most organizations are waiting for the final "declarations" from
HIPAA. Also, the HIPAA mentions that if EDI is used then it must conform
to the more modern HIPAA transactions, privacy & sec. If paper, fax, etc.
is used instead then it must meet Privacy & Security. EDI seems to be
descibed as a method of creating efficiencies but does it mandate (?)
moving from paper to EDI. (that process change is not a small project).
Steve Sklar
IT Manager
Majestic Underwriters, Inc. (an MGU)
(p) 248.583.4488 x246
"Askew, Lindsay W"
<LWAskew@magellanh To: "'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]>,
ealth.com> [EMAIL PROTECTED]
cc:
01/24/2002 08:13 Subject: RE: HIPAA EDI
AM
I would tend to agree with Rachel. As I read the information provided, the
self-insured company is the covered entity (health plan), the TPA is a
business associate of the self-insured plan, and MGU is a business
associate
of the TPA. Exchanges between the TPA and the Health Plan are not covered
under HIPAA (but may make good business sense). To the extent that the TPA
is conducting covered transactions on behalf of the covered entity they
have
be in standard. Exchanges between the TPA and MGU are not covered under
HIPAA. Again, if MGU is conducting covered transactions on behalf of the
TPA
those must meet the standards. I think it is smart of MGU to want to use
the
standards however it is likely not required. However, I think the TPAs they
are working with need to reassess their situation, it is likely they are
covered under HIPAA. If MGU can convince them of that they may be more
inclined to use standards with MGU. Also, the information exchanged appears
to be PHI and as such is subject to the Privacy Regulations.
My two cents worth.
Lindsay W. Askew, Jr.
Program Director, HIPAA
Magellan Behavioral Health
-----Original Message-----
From: Rachel Foerster [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 23, 2002 7:05 PM
To: [EMAIL PROTECTED]
Subject: RE: HIPAA EDI
Cynthia,
I disagree with you regarding the entity in question - Managing General
Underwriter. The writer indicates they work with TPAs, carriers and
brokers.
It seems clear that MGU is an underwriter but not one of the covered
entities to which HIPAA applies. MGU is not a TPA nor a carrier nor a
broker
nor a health plan nor a health care provider nor a clearinghouse as defined
under HIPAA. As such HIPAA does not apply to them. TPA's per se are not
covered entities unconditionally and MGU did not indicate they act in a TPA
role.
Furthermore, the mere act of "communicating membership" does not consititue
the "enrollment in a health plan, the termination of coverage in a health
plan, or any change to the coverage for an individual under a health plan."
Thus, communicating membership is not the actual enrollment, disenrollment,
etc. in a health plan. Therefore, this information exchange is not covered
under HIPAA.
Thus, it's essential that the relationships between the various entities be
examined closely to determine which entity is the covered entity and then
which other entities are the business associate of the covered entity. Only
when the relationship is one of covered entity to covered entity or the
business associate of a covered entity to a covered entity, does the
business associate then have to comply with HIPAA as if it were in fact the
covered entity.
In the description of the relationships provided, there does not appear to
be a business associate relationship to a covered entity defined, only that
MGU "works in the self-insured sector....and does not work directly with
any
health care organization or provider." Therefore, MGU appears not to be a
covered entity and it appears that the entities it does business with are
not covered entities either. As a result MGU is off the hook....unless it
is
a business associate of a covered entity performing a HIPAA mandated
function for that covered entity. You appear to confuse the issue by
bringing in the concept of an ERISA group plan, yet the person with MGU
does
not indicate they are in this situation.
Of course, these are my personal opinions and interpretation only based on
the scant information provided to us. Thus, I strongly encourage Steve to
consult with MGU's legal counsel to determine the role it plays with its
various business partners so that a determination can be made as to whether
HIPAA applies to MGU or not.
Rachel Foerster
Rachel Foerster & Associates, Ltd.
Phone: 847-872-8070
-----Original Message-----
From: Cynthia Korman [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 23, 2002 12:07 PM
To: [EMAIL PROTECTED]
Subject: Re: HIPAA EDI
Actually, I beg to differ with Rachel's opinion...the transaction rules
have
to be followed whether
the transmissions are between or within covered entities - my understanding
is that since an ERISA healthplan is defined as a covered entity, those
that
communicate membership to TPAs must do so via an 834. Also, their TPAs
must
be prepared to handle standard transactions from providers that provide
care
to the ERISA plan's members. Where am I off base?
----- Original Message -----
From: "Rachel Foerster" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 23, 2002 12:38 PM
Subject: RE: HIPAA EDI
> Steve,
>
> >From your description of your company I doubt that HIPAA applies to it.
It
> doesn't appear to be a health plan, clearinghouse, or health care
provider.
> Thus, it would be my opinion that the format, etc. used by your company
> would be one based on mutual agreement between you and whoever you're
> exchanging the data with.
>
> Rachel Foerster
> Rachel Foerster & Associates, Ltd.
> Phone: 847-872-8070
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, January 23, 2002 11:03 AM
> To: [EMAIL PROTECTED]
> Subject: HIPAA EDI
>
>
> So if I understand what everyone is saying correctly:
>
> [1] your business must have HIPAA EDI capability ready for any requests
> that may occur. That is required although you may not be required to use
> it (Carriers, providers, etc. may have you continue to use paper, etc.).
>
> ----------
> I as mentioned earlier my situation is interesting:
> I work for an MGU (Managing General Underwriter) in the Self-Insured
> market. We work with TPAs, Brokers and Carriers but not directly to any
> health organization nor hospital. Currently our Carriers have no plans
> nor requirements for us for HIPAA EDI. Most of our TPAs and Brokers
also
> have no plans as of this time.
>
> We are working on building up our EDI capabilities ... but if we build it
> will it be used?!?! With this HIPAA mandate we were ready to move
forward
> but if the people we are communicating with are not we are put in a catch
> 22 situation with compliancy.
>
> Sincerely,
>
> Steve Sklar
> IT Manager
> Majestic Underwriters, Inc.
> Troy, Michigan
> (p) 248.583.4488 x246
>
>
> **********************************************************************
> To be removed from this list, go to:
> http://snip.wedi.org/unsubscribe.cfm?list=business
> and enter your email address.
>
>
>
> **********************************************************************
> To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=business
> and enter your email address.
>
**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=business
and enter your email address.
**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=business
and enter your email address.
**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=business
and enter your email address.
**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=business
and enter your email address.
