Re: Self insured health plans & NPP

[David Blasi]

John,

I was trying to keep it simple in my comment, but certainly appreciate
people like John who have the time to provide detailed and informative
comments.  Under ERISA Section 101, the Plan Administrator is required
to provide things such as the Summary Plan Descriptions ("SPD") and
annual reports. The are many other notice requirements.  Also, the Plan
Administrator may or may not be the same as the Plan Sponsor. 
Regardless, the Plan Administrator/Plan Sponsor may contract with
someone else to provide the necessary disclosures and administration. 
This could include paying claims, sending COBRA notices, HIPAA
certificates of creditable coverage, etc.  However, the ultimate
responsibility will always reside with the entity who has the direct
obligation under HIPAA, ERISA or applicable law.  You can hire and pay
somebody to do it, but you still have to do the hiring and paying.  You
can't apply the same logic to TPA's as to insurance carriers, because a
TPA does not have a direct obligation to do something under ERISA or
HIPAA.  The TPA's obligation is contractual and will depend on whether
they are willing to do what you want and for what price.  

David 

>>> <[EMAIL PROTECTED]> 03/13/03 04:17PM >>>
John,

Thanks for the great analysis on the terminology differences between
ERISA 
and HIPAA and the HIPAA implications.  I agree that self-insured health
plans 
get stuck with all the HIPAA requirements, but wonder the extent to
which 
compliance details could be jobbed out to a TPA business associate.

Such health plans may wish to avoid preparing and training staff on
extensive 
policies and procedures when for all practical purposes they don't see
or 
maintain PHI except enrollment data in their plan sponsor roles. The
preamble 
to the revised privacy regulations gives the plan a reduced set of 
requirements under an "insurance contract" when the carrier performs
these 
functions.  Could the same guidance apply if the TPA does all the heavy

lifting?

Following is the language from the preamble:

"Group health plans, to the extent they provide health benefits only
through 
an insurance contract with a health insurance issuer or HMO and do not

create, receive, or maintain protected health information (except for
summary 
information or enrollment and disenrollment information), are not
required to 
comply with the requirements of §§ 164.520 or 164.530, except for the 
documentation requirements of § 164.530(j). In addition, because the
group 
health plan does not have access to protected health information, the 
requirements of §§ 164.524, 164.526, and 164.528 are not applicable. 
Individuals enrolled in a group health plan that provides benefits only

through an insurance contract with a health insurance issuer or HMO
would 
have access to all rights provided by this regulation through the
health 
insurance issuer or HMO, because they are covered entities in their own

right."

--John


---Original message---

Hi, David and Bonnie.

It's important to keep two terms distinct:  "plan administration
functions"
(which is a Privacy Rule term) and "plan administrator" (which is an
ERISA
term).

The plan administrator (which, under ERISA, is the plan sponsor unless
the
plan document says otherwise) has certain reporting and disclosure
functions
assigned to it by ERISA.  The plan administrator may also be (but need
not
be) the named fiduciary for purposes of the claims adjudication
procedures
that a group health plan is required to have under ERISA.

"Plan administration functions" is a poorly defined term in the
Privacy
Rule.  What it appears to signify is performing those functions that
make a
plan a covered entity--i.e., doing things that require working with
PHI.

Is the ERISA plan administrator necessarily a person who perform plan
administration functions?

No.  So long as the ERISA plan administrator is not also the named
fiduciary
for purposes
 of claims administration, it does not necessarily perform
plan
administration functions on account of the jobs assigned to it by
ERISA.
That is because the jobs assigned to it under ERISA may be performed on
the
basis of summary health information received and used for plan design
purposes (permitted under the Privacy Rule) or eligibility and
enrollment
information (also permitted under the Privacy Rule).

An ERISA plan administrator will perform plan administration
functions,
however, where it is also the named fiduciary for claims adjudication
purposes, i.e., the person who has to receive all the PHI relevant to
making
claims decisions.

In addition, where a plan is self-insured, the plan sponsor will ALWAYS
be
assigned the full gamut of responsibilities under the Privacy Rule,
without
regard to whether the plan sponsor contracts those functions out to a
third
party.

Thus, for example, if you are a self-insured plan and you contract out
EVERYTHING to a third party administrator ("TPA"), you are not spared
ANY of
the requirements of the Privacy Rule.  Yo

Re: Self insured health plans & NPP

[David Blasi]

Without going into a lot of discussion about the difference between the
plan sponsor and plan administrator activities, the plan administrator
is responsible for this.  If you are also the plan administrator, than
you have both responsibilities.   Your SPD should state who is the plan
administrator for easy reference.  

>>> <[EMAIL PROTECTED]> 03/13/03 07:40AM >>>
We are an acute care hospital providing health insurance to our
employees
as a self-insured plan.  As the plan sponsor we are required to amend
our
group health plan document to comply with HIPAA.  Are we also
responsible
for drafting and providing to our employees a Notice of Privacy
Practice,
or is that the responsibility of the health plan?

Bonnie R Millman
Privacy Coordinator
Bayhealth Medical Center
640 South State Street
Dover, Delaware  19901

302-744-6728



__
CONFIDENTIALITY NOTICE:  The information contained in this e-mail
message
and any attachment(s) is intended only for
 the confidential use of the intended recipient(s) named above.  This
e-mail message and any attachment(s) may contain
confidential health information or other confidential information that
is
legally privileged and exempt from disclosure under
applicable law.  If the reader of this e-mail message is not the
intended
recipient or the employee agent responsible for
 delivering it to the intended recipient, you should be aware that any
dissemination, distribution, copying or action taken in
 reliance on the content of this e-mail message or any attachment(s)
is
strictly prohibited.  If this e-mail has been received
 in error, please notify us immediately via e-mail at
[EMAIL PROTECTED] and delete or otherwise destroy the
original message, any attachment(s) and copies.  Thank you for your
cooperation.


---
The WEDI SNIP listserv to which you are subscribed is not moderated.
The discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED] 
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED] 
If you need to unsubscribe but your current email address is not the
same as the address subscribed to the list, please use the
Subscribe/Unsubscribe form at http://subscribe.wedi.org 



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org

RE: Minimum necessary

[David Blasi]

A live person on the phone is not limited to what can be provided in a
271 response or a 277 or any other HIPAA required response.  Talking to
a person on the phone is not considered the use of "electronic media",
as defined by 162.103.  Direct Data Entry, which is the subject of the
limitation to which you are referring, cannot have incentives for its
use (See 196.925(4)).  A prohibition on incentives for other modes of
electronic media communications are what is intended, not limiting
the usefulness of picking up a phone and trying to get a situation
resolved by speaking to a live person.  

 

>>> "Schmidt, Lee M" <[EMAIL PROTECTED]> 03/05/03 04:26PM
>>>
Assuming the inquiry was through a phone call and that the HMO &Client
were
covered entities, the phone rep should provide the same level of
benefit
information made available through the 271 response and any HMO
eligibility
web applications to which the provider has access.  

In short, there can be no incentive for the provider to use one mode
of
inquiry over another which means all avenues of disseminating
eligibility
information must provide the same level of detail.

Understand that the 271 does provide comprehensive benefit information,
but
at this time the government regulates that the minimum response to an
eligibility inquiry is a yes/no. 

Thanks,
 
Lee M. Schmidt
Magellan Behavioral Health
HIPAA / I.T. Project Manager, Claims Applications 
Local: (314) 387-5445 
Toll Free (St. Louis): 1-800-450-7281 ext: 75445  
New Cell: (314) 960-0964 
Fax: 314-387-5655 or 314-292-1120 (Electronic)
E-Mail: [EMAIL PROTECTED]
 


-Original Message-
From: Jonathan Fox [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 05, 2003 1:04 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Minimum necessary


Now that Privacy is right around the corner, a lot of people are
re-examining some of the Transactions work that has been done.

Here is a question that has privacy (minimum necessary) implications.

A provider performs an eligibility inquiry with their local HMO.  The
HMO responds with yes the member is eligible and here is a list of
their
benefits.  Clearly, the minimum requirements of the functionality of
the
transaction have been met, but how far can a payer go in giving
additional information (COB, HIC number, Group Number, Plan Number,
etc,
before you cross the minimum necessary (privacy) line.

Certainly, many of these pieces of information are not needed to get a
claim paid by that payer.  Is it the 
responsibility of the payer and/or is it within their right to divulge
information about other policies they may have.  

This is not a question about transaction functionality, as the
transaction clearly accommodates this data, but there seems to be a
slight contradiction with the minimum necessary clause of the Privacy
rule.

Thoughts please???

Jonathan Fox
Independent Health

---
The WEDI SNIP listserv to which you are subscribed is not moderated.
The
discussions on this listserv therefore represent the views of the
individual
participants, and do not necessarily represent the views of the WEDI
Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion,
post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used
for
commercial marketing purposes or discussion of specific vendor products
and
services.  They also are not intended to be used as a forum for
personal
disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED] 
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED] 
If you need to unsubscribe but your current email address is not the
same as
the address subscribed to the list, please use the
Subscribe/Unsubscribe
form at http://subscribe.wedi.org 

---
The WEDI SNIP listserv to which you are subscribed is not moderated.
The discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.   These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services.  They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED] 
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED] 
If you need to unsubscribe but your current email address is not the
same as the address subscribed to the list, please use the
Subscribe/Unsubscribe form at http://subscribe.wedi.org 



---
The WEDI SNIP lis

Re: DOL vs. HIPAA

[David Blasi]

I would just add that I hope that if CMS decides to expand on this in a
Q&A or in whatever manner they choose that they consult with their
counterparts at the DOL.  I have made comments several times about the
discrepancy between HIPAA and ERISA.  It benefits everyone if as much
information about how claims were paid are included on an EOB.  That is
ERISA's goal.  Very simply the HIPAA concerns can be addressed by the
patient having the EOB sent to an alternative address or requiring that
it be addressed to the patient.  It is then up to the patient to control
their own PHI.  A health plan should not be responsible for someone
opening another person's mail.  

>>> "David Ermer" <[EMAIL PROTECTED]> 02/20/03 07:37PM >>>
Michele -- I am not aware of any HHS statement in the 12/28/2000
preamble to the effect that diagnosis information must be stripped
from
the EOB in order to achieve Privacy Rule compliance. I have quoted the
relevant preamble statements below my signature.

Although HHS has not issued any dictates about the substance of the
EOB,
it's important to recall that payment communications such as the EOB
are
subject to the minimum necessary rule. Consequently, if it's not
necessary to communicate the diagnosis to achieve the purpose of the
communication, then the diagnosis shouldn't be included. 

Getting to your question, a valid purpose of the EOB is communicate
payment information in compliance with with ERISA. Therefore, in my
opinion, if ERISA requires disclosure of the diagnosis in a particular
situation, e.g, at the appeal stage, the disclosure of the diagnosis
on
the EOB would fit within the minimum necessary standard. 

I do agree with you that it would be helpful for DOL to provide
official
guidance integrating the claims processing rule with the Privacy Rule.


Best regards, Dave Ermer 

P.S. Here are the 12/28/00 preamble statements that I found:

Comment: A commenter noted that the definition of "disclosure" should
reflect that health plan correspondence containing protected health
information, such as Explanation of Benefits (EOBs), is frequently
sent
to the policyholder. Therefore, it was suggested that the words
"provision of access to" be deleted from the definition and that 
"disclosure" be clarified to include the conveyance of protected
health
information to a third party.

Response: The definition is, on its face, broad enough to cover the
transfers of information described and so is not changed. We agree
that
health plans must be able to send EOBs to policyholders. Sending EOB
correspondence to a policyholder by a covered entity is a disclosure
for
purposes of this rule, but it is a disclosure for purposes of payment.
Therefore, subject to the provisions of § 164.522(b) regarding
Confidential Communications, it is permitted even if it discloses to
the
policyholder protected health information about another individual
(see
below).

Comment: Certain commenters explained that third party administrators
usually communicate with employees through Explanation of Benefit
(EOB)
reports on behalf of their dependents (including those who might not
be
minor children). Thus, the employee might be apprized of the medical
encounters of his or her dependents but not of medical diagnoses
unless
there is an over-riding reason, such as a child suspected of drug
abuse
due to multiple prescriptions. The commenters urged that the current
claim processing procedures be allowed to continue.

Response: We agree. We interpret the definition of payment and, in
particular the term 'claims management,' to include such disclosures
of
protected health information.

Comment: One commenter requested that we create a standard that all
information from a health plan be sent to the patient and not the
policyholder or subscriber.

Response: We require health plans to accommodate certain requests that
information not be sent to a particular location or by particular
means.
A health plan must accommodate reasonable requests by individuals that
protected health information about them be sent directly to them and
not
to a policyholder or subscriber, if the individual states that he or
she
may be in danger from disclosure of such information. We did not
generally require health plans to send information to the patient and
not the policyholder or subscriber because we believed it would be
administratively burdensome and because the named insured may have a
valid need for such information to manage payment and benefits." 






Gordon & Barnett
1133 21st St., NW, Suite 450
Washington, DC 20036
202-833-3400 ext 3009 (voice)
202-223-0120 (fax)
www.gordon-barnett.com 
>>> <[EMAIL PROTECTED]> 02/20/03 18:16 PM >>>
Looking for some thoughts from all...

HIPAA preamble references the ability to send EOBs to the subscriber
containing member information as long as the diagnosis is stripped. 
We
view this and felt as though this would extend to diagnosis
description,
procedure code and procedure description and have been maki

RE: acknowledgement of Notice of Privacy Practices (NPP)

[David Blasi]

Just wanted to add for some of those who aren't "knee-deep" in HIPAA
that the acknowledgment requirement discussion is a health care provider
issue.  For health plans the acknowledgment requirement in 164.520(c)(2)
is not applicable.  Health plans should be able to satisfy their notice
requirement via normal first class mail; just like mailing SPD's, COBRA
notices, etc. 

>>> "Patricia Hamby" <[EMAIL PROTECTED]> 02/17/03 04:29PM
>>>
Would this maybe fall under "reasonable" and may depend upon the size
of the
CE? Great question.  Interested to see what others have to say.  

Patricia Hamby
HIPAA Compliance Project Manager
XANTUS Healthplan of Tennessee, Inc. 
(615) 463-1612, Office
(615) 279-1301, Facsimile
http://www.xantushealthplan.com/hipaa/page3.html 


-Original Message-
From: Noel Chang [mailto:[EMAIL PROTECTED]] 
Sent: Monday, February 17, 2003 3:35 PM
To: WEDI SNIP Privacy Workgroup List
Subject: Re: acknowledgement of Notice of Privacy Practices (NPP)


I haven't taken the time to research this enough to cite any references
in 
support of my position, but my initial reaction is that just mailing
the NPP

is not adequate to make a good faith effort.

The requirement is that you make a good faith effort to obtain written

acknowledgment of their receipt of the NPP.  If all you do is mail the
NPP, 
what have to done to try and document they received it?  If you have a
return 
form for the patient to send back I guess you can then argue that you
did do

something to try and obtain their acknowledgment but is just a form
with no 
return envelope or postage a "good faith effort"?  I'd say no but that
is 
just my opinion.

Even if you included a return envelope and postage I don't know that I
would

consider that a good faith effort.  The Rule says you have to
distribute the

notice by the first delivery of service.  For the moment lets ignore 
electronic delivery of service or of the NPP.  That aside, if you only
have 
to deliver the notice the first time the individual physically sets
foot in 
your facility, how hard is it to get someone to hand them a couple of
sheets

of paper and sign an acknowledgment?  Keep in mind the acknowledgment
is
just 
that they RECEIVED the Notice.  Not that they read it, not that they 
understand it.  You can hand it to them, they can through it in the
trash 
(hopefully a recycling bin so you can use it on the next patient), and
you 
can still ask them to sign a statement that says they RECEIVED the
Notice.

Unless you are one of the rare entities that have implemented a truly 
paperless patient record system, you have a paper chart for every
patient.  
Someone in your facility is probably handling that chart when the
patient 
comes in.  If the reception of patients into your facility is not
centralized 
so you cannot hand out the forms at one patient check-in desk, then
perhaps 
you need to de-centralize the distribution of the NPP.  Whoever sees
the 
patient needs to look at the chart and determine if the patient has
received

an NPP or if they need to be given one.  One thing I am doing with some

clients is implementing an NPP Receipt Acknowledgment form that is on a

distinct color paper so you can immediately recognize whether or not
there
is 
an acknowledgment form in the chart.  Remember you only need to get
their 
acknowledgment once, even if you subsequently revise the Notice, so
there is

no need to look at the acknowledgment to see when they signed it, what

version of the NPP they were given, or anything else.  Just glance at
the 
chart to see if there is a fuscia piece of paper (or whatever unique
color 
you prefer).  If there isn't, ask them to sign an acknowledgment form
as you

hand them a copy of your NPP.

I work only with small group practices and solo practitioners so I'm
sure 
there are issues for larger players, asside from pure volume of
patients, 
that I have not had to consider.  I have to admit though, I never
thought
the 
requirement to distribute the NPP and obtain an acknowledgment would
require

any additional resources like part time employees.

Noel Chang
Noel Chang

 

--
Open WebMail Project (http://openwebmail.org)


-- Original Message ---
From: [EMAIL PROTECTED] 
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Mon, 17 Feb 2003 14:27:30 -0500
Subject: acknowledgement of Notice of Privacy Practices (NPP)

> On April 15, 2003, we are anticipating that we simply do not have 
> the staff available to supply all patients that walk in our door 
> with our NPP.  It's hard to find someone to do a job like this for 
> only 3-4 months!  We plan to hire college students to accomplish 
> this task when school let outs in May.  
> 
> Nevertheless, in order to be compliant with the April 15, 2003 
> deadline, is it acceptable to mail out our NPP to scheduled patients

> ahead of time?  
> 
> Is the fact that we are mailing them out  (and let's say we can keep

> track of who got SENT one) sufficient in itself