Re: Self insured health plans NPP
John, Thank you for your prompt and thorough response. You helped clarify and validate what I thought was correct. The company that I made reference is a BA, not a CE. The BA does have an employee onsite that acts as a liaison between the PEO and the company for most of the HR functions. This includes assisting with enrollment functions AND, until our review, assisting employees with their health claim problems. Since their health benefits were put up for bid, the enrollment forms included a medical history questionnaire. This questionnaire was collected by the liaison and forwarded to the PEO as part of the enrollment forms. However, a copy was also maintained onsite. The end result was that their medical benefits changed from a self-insured GHP to a fully insured plan for medical but their dental GHP was going to remain self-insured. One of our recommendations to this company was to reassess, i.e., risk assess, whether the company wanted the liaison to continue with providing this level of assistance to its employees and thereby requiring changes to their SPD and a greater responsibility under the Privacy Rule. Per our feedback, they chose not to. Additionally, we recommended to the company that the liaison separate the personnel file documents from any GHP documents and to destroy the copies of the questionnaires. As to your question, interestingly, the PEO had made no contact with this company in regard to a BA agreement, assessing the functions the liaison was performing, what the PEO was expecting to do as far as issuing the NPP (since dental is still self-insured) or HIPAA training in general. What I have found is that not everything is what you think it is when you approach each type of entity (CE, BA, or Employer). There are always twists and turns and surprises that need to be considered in each particular situation. Sue Confidentiality Notice: This email message, includng any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact Hazen Group, Inc. at (317) 849-6065 and destroy all copies of the original message. Sue Ryan, RN, MPS Consultant Hazen Group, Inc. Phone: (315) 468-2603 Fax: (315) 487-0153 - Original Message - From: John J. D'Amato [EMAIL PROTECTED] To: Sue Ryan [EMAIL PROTECTED]; WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Thursday, March 13, 2003 10:20 PM Subject: Re: Self insured health plans NPP Hi, Sue. What I meant by my comment is that a group health plan's relationship to a health insurance issuer and its relationship to a TPA are associated with radically different legal responsibilities under the Privacy Rule, even where the two relationships are functionally equivalent. This is sometimes disconcerting to self-insuring clients who believe that by contracting out functions to a TPA, they ought to be relieved of responsibilities under the Privacy Rule. But you have raised a different fact pattern. I take it that you are referring to the situation in which an employer contracts with an employee leasing or similar company. In such a situation, the recipient of the services of the employees (your organization) is not the employer of record, and the leased employees receive benefits under plans sponsored and maintained by the leasing company, not by the recipient of the services. If that is your situation, then I would agree with you that the plan sponsor is not your company, but the leasing company, and the Privacy Rule burdens fall on that company and its group health plan, not on your company. Those burdens would include providing or maintaining an NPP (to the extent that benefits are self-insured or the PEO receives or creates PHI beyond summary health or enrollment information). Nevertheless, I think you should think carefully about how the Privacy Rule may affect your company. Are there individuals who are employed by your company (not the PEO) and who deal with the PEO regarding health plan matters? If so, then those individuals will be members of the health plan's workforce (even though they are your employees) and will require Privacy Rule training, etc. In particular, if your company (or the PEO) sponsors an EAP, consider how the flow of information works from management personnel in your company to the EAP and back. You will want to insure that safeguards are in place with respect to the confidentiality of this information and to make sure that you (or the PEO, if it is a PEO plan) obtain whatever authorizations will be required to monitor the satisfactory completion of treatment by an individual referred to EAP. Out of curiosity, is the PEO requiring your company to enter into a BA agreement with it? Hope this helps. John redhipaa.com (coming soon) John, In your explanation, you state
Re: Self insured health plans NPP
Without going into a lot of discussion about the difference between the plan sponsor and plan administrator activities, the plan administrator is responsible for this. If you are also the plan administrator, than you have both responsibilities. Your SPD should state who is the plan administrator for easy reference. [EMAIL PROTECTED] 03/13/03 07:40AM We are an acute care hospital providing health insurance to our employees as a self-insured plan. As the plan sponsor we are required to amend our group health plan document to comply with HIPAA. Are we also responsible for drafting and providing to our employees a Notice of Privacy Practice, or is that the responsibility of the health plan? Bonnie R Millman Privacy Coordinator Bayhealth Medical Center 640 South State Street Dover, Delaware 19901 302-744-6728 __ CONFIDENTIALITY NOTICE: The information contained in this e-mail message and any attachment(s) is intended only for the confidential use of the intended recipient(s) named above. This e-mail message and any attachment(s) may contain confidential health information or other confidential information that is legally privileged and exempt from disclosure under applicable law. If the reader of this e-mail message is not the intended recipient or the employee agent responsible for delivering it to the intended recipient, you should be aware that any dissemination, distribution, copying or action taken in reliance on the content of this e-mail message or any attachment(s) is strictly prohibited. If this e-mail has been received in error, please notify us immediately via e-mail at [EMAIL PROTECTED] and delete or otherwise destroy the original message, any attachment(s) and copies. Thank you for your cooperation. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: Self insured health plans NPP
Hi, David and Bonnie. It's important to keep two terms distinct: plan administration functions (which is a Privacy Rule term) and plan administrator (which is an ERISA term). The plan administrator (which, under ERISA, is the plan sponsor unless the plan document says otherwise) has certain reporting and disclosure functions assigned to it by ERISA. The plan administrator may also be (but need not be) the named fiduciary for purposes of the claims adjudication procedures that a group health plan is required to have under ERISA. Plan administration functions is a poorly defined term in the Privacy Rule. What it appears to signify is performing those functions that make a plan a covered entity--i.e., doing things that require working with PHI. Is the ERISA plan administrator necessarily a person who perform plan administration functions? No. So long as the ERISA plan administrator is not also the named fiduciary for purposes of claims administration, it does not necessarily perform plan administration functions on account of the jobs assigned to it by ERISA. That is because the jobs assigned to it under ERISA may be performed on the basis of summary health information received and used for plan design purposes (permitted under the Privacy Rule) or eligibility and enrollment information (also permitted under the Privacy Rule). An ERISA plan administrator will perform plan administration functions, however, where it is also the named fiduciary for claims adjudication purposes, i.e., the person who has to receive all the PHI relevant to making claims decisions. In addition, where a plan is self-insured, the plan sponsor will ALWAYS be assigned the full gamut of responsibilities under the Privacy Rule, without regard to whether the plan sponsor contracts those functions out to a third party. Thus, for example, if you are a self-insured plan and you contract out EVERYTHING to a third party administrator (TPA), you are not spared ANY of the requirements of the Privacy Rule. You must still prepare and distribute an NPP to your participants and satisfy all of the Privacy Rule's administrative requirements. In the case of the self-insured group health plan maintained by your hospital for its employees, all of the provisions of the Privacy Rule will apply. However, your hospital and the group health plan may (and probably do) have different compliance dates. The compliance date for health care providers is the first date of service after April 14, 2003. The compliance date for health plans (including group health plans) is April 14, 2003 for large plans and April 14, 2004 for small plans. A large plan is one that has receipts (i.e., pays premiums in the case of an insured plan or provides benefits in the case of a self-insured plan) of $5,000,000 or more annually. A small plan is one that has annual receipts of less than $5,000,000. Hope this helps. John D'Amato redHIPAA.com (coming soon) - Original Message - From: David Blasi [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Thursday, March 13, 2003 3:51 AM Subject: Re: Self insured health plans NPP Without going into a lot of discussion about the difference between the plan sponsor and plan administrator activities, the plan administrator is responsible for this. If you are also the plan administrator, than you have both responsibilities. Your SPD should state who is the plan administrator for easy reference. [EMAIL PROTECTED] 03/13/03 07:40AM We are an acute care hospital providing health insurance to our employees as a self-insured plan. As the plan sponsor we are required to amend our group health plan document to comply with HIPAA. Are we also responsible for drafting and providing to our employees a Notice of Privacy Practice, or is that the responsibility of the health plan? Bonnie R Millman Privacy Coordinator Bayhealth Medical Center 640 South State Street Dover, Delaware 19901 302-744-6728 __ CONFIDENTIALITY NOTICE: The information contained in this e-mail message and any attachment(s) is intended only for the confidential use of the intended recipient(s) named above. This e-mail message and any attachment(s) may contain confidential health information or other confidential information that is legally privileged and exempt from disclosure under applicable law. If the reader of this e-mail message is not the intended recipient or the employee agent responsible for delivering it to the intended recipient, you should be aware that any dissemination, distribution, copying or action taken in reliance on the content of this e-mail message or any attachment(s) is strictly prohibited. If this e-mail has been received in error, please notify us immediately via e-mail at [EMAIL PROTECTED] and delete or otherwise destroy the original message, any attachment(s) and copies
Re: Self insured health plans NPP
John, In your explanation, you state that if you are a self-insured plan and you contract out EVERYTHING to a third party administrator (TPA), you are not spared ANY of the requirements of the Privacy Rule. You must still prepare and distribute an NPP to your participants and satisfy all of the Privacy Rule's administrative requirements. Does this apply if you have contracted out your HR function to a PEO (Professional Employer Organ.) that includes the administratio of the benefit plans (health dental) and the PEO is identified as the plan sponsor / administrator of the group health/dental plans? Can the PEO develop and distribute the NPP to the participants (employees)? Thank you, Sue Confidentiality Notice: This email message, includng any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact Hazen Group, Inc. at (317) 849-6065 and destroy all copies of the original message. Sue Ryan, RN, MPS Consultant Hazen Group, Inc. Phone: (315) 468-2603 Fax: (315) 487-0153 - Original Message - From: John J. D'Amato [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Thursday, March 13, 2003 1:48 PM Subject: Re: Self insured health plans NPP Hi, David and Bonnie. It's important to keep two terms distinct: plan administration functions (which is a Privacy Rule term) and plan administrator (which is an ERISA term). The plan administrator (which, under ERISA, is the plan sponsor unless the plan document says otherwise) has certain reporting and disclosure functions assigned to it by ERISA. The plan administrator may also be (but need not be) the named fiduciary for purposes of the claims adjudication procedures that a group health plan is required to have under ERISA. Plan administration functions is a poorly defined term in the Privacy Rule. What it appears to signify is performing those functions that make a plan a covered entity--i.e., doing things that require working with PHI. Is the ERISA plan administrator necessarily a person who perform plan administration functions? No. So long as the ERISA plan administrator is not also the named fiduciary for purposes of claims administration, it does not necessarily perform plan administration functions on account of the jobs assigned to it by ERISA. That is because the jobs assigned to it under ERISA may be performed on the basis of summary health information received and used for plan design purposes (permitted under the Privacy Rule) or eligibility and enrollment information (also permitted under the Privacy Rule). An ERISA plan administrator will perform plan administration functions, however, where it is also the named fiduciary for claims adjudication purposes, i.e., the person who has to receive all the PHI relevant to making claims decisions. In addition, where a plan is self-insured, the plan sponsor will ALWAYS be assigned the full gamut of responsibilities under the Privacy Rule, without regard to whether the plan sponsor contracts those functions out to a third party. Thus, for example, if you are a self-insured plan and you contract out EVERYTHING to a third party administrator (TPA), you are not spared ANY of the requirements of the Privacy Rule. You must still prepare and distribute an NPP to your participants and satisfy all of the Privacy Rule's administrative requirements. In the case of the self-insured group health plan maintained by your hospital for its employees, all of the provisions of the Privacy Rule will apply. However, your hospital and the group health plan may (and probably do) have different compliance dates. The compliance date for health care providers is the first date of service after April 14, 2003. The compliance date for health plans (including group health plans) is April 14, 2003 for large plans and April 14, 2004 for small plans. A large plan is one that has receipts (i.e., pays premiums in the case of an insured plan or provides benefits in the case of a self-insured plan) of $5,000,000 or more annually. A small plan is one that has annual receipts of less than $5,000,000. Hope this helps. John D'Amato redHIPAA.com (coming soon) - Original Message - From: David Blasi [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Thursday, March 13, 2003 3:51 AM Subject: Re: Self insured health plans NPP Without going into a lot of discussion about the difference between the plan sponsor and plan administrator activities, the plan administrator is responsible for this. If you are also the plan administrator, than you have both responsibilities. Your SPD should state who is the plan administrator for easy reference. [EMAIL PROTECTED] 03/13/03 07:40AM We are an acute care
Re: Self insured health plans NPP
Hi, Sue. What I meant by my comment is that a group health plan's relationship to a health insurance issuer and its relationship to a TPA are associated with radically different legal responsibilities under the Privacy Rule, even where the two relationships are functionally equivalent. This is sometimes disconcerting to self-insuring clients who believe that by contracting out functions to a TPA, they ought to be relieved of responsibilities under the Privacy Rule. But you have raised a different fact pattern. I take it that you are referring to the situation in which an employer contracts with an employee leasing or similar company. In such a situation, the recipient of the services of the employees (your organization) is not the employer of record, and the leased employees receive benefits under plans sponsored and maintained by the leasing company, not by the recipient of the services. If that is your situation, then I would agree with you that the plan sponsor is not your company, but the leasing company, and the Privacy Rule burdens fall on that company and its group health plan, not on your company. Those burdens would include providing or maintaining an NPP (to the extent that benefits are self-insured or the PEO receives or creates PHI beyond summary health or enrollment information). Nevertheless, I think you should think carefully about how the Privacy Rule may affect your company. Are there individuals who are employed by your company (not the PEO) and who deal with the PEO regarding health plan matters? If so, then those individuals will be members of the health plan's workforce (even though they are your employees) and will require Privacy Rule training, etc. In particular, if your company (or the PEO) sponsors an EAP, consider how the flow of information works from management personnel in your company to the EAP and back. You will want to insure that safeguards are in place with respect to the confidentiality of this information and to make sure that you (or the PEO, if it is a PEO plan) obtain whatever authorizations will be required to monitor the satisfactory completion of treatment by an individual referred to EAP. Out of curiosity, is the PEO requiring your company to enter into a BA agreement with it? Hope this helps. John redhipaa.com (coming soon) John, In your explanation, you state that if you are a self-insured plan and you contract out EVERYTHING to a third party administrator (TPA), you are not spared ANY of the requirements of the Privacy Rule. You must still prepare and distribute an NPP to your participants and satisfy all of the Privacy Rule's administrative requirements. Does this apply if you have contracted out your HR function to a PEO (Professional Employer Organ.) that includes the administratio of the benefit plans (health dental) and the PEO is identified as the plan sponsor / administrator of the group health/dental plans? Can the PEO develop and distribute the NPP to the participants (employees)? Thank you, Sue Confidentiality Notice: This email message, includng any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact Hazen Group, Inc. at (317) 849-6065 and destroy all copies of the original message. Sue Ryan, RN, MPS Consultant Hazen Group, Inc. Phone: (315) 468-2603 Fax: (315) 487-0153 - Original Message - From: John J. D'Amato [EMAIL PROTECTED] To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED] Sent: Thursday, March 13, 2003 1:48 PM Subject: Re: Self insured health plans NPP Hi, David and Bonnie. It's important to keep two terms distinct: plan administration functions (which is a Privacy Rule term) and plan administrator (which is an ERISA term). The plan administrator (which, under ERISA, is the plan sponsor unless the plan document says otherwise) has certain reporting and disclosure functions assigned to it by ERISA. The plan administrator may also be (but need not be) the named fiduciary for purposes of the claims adjudication procedures that a group health plan is required to have under ERISA. Plan administration functions is a poorly defined term in the Privacy Rule. What it appears to signify is performing those functions that make a plan a covered entity--i.e., doing things that require working with PHI. Is the ERISA plan administrator necessarily a person who perform plan administration functions? No. So long as the ERISA plan administrator is not also the named fiduciary for purposes of claims administration, it does not necessarily perform plan administration functions on account of the jobs assigned to it by ERISA. That is because the jobs assigned to it under ERISA may be performed on the basis of summary health information received
Re: Self insured health plans NPP
Hi, John.
The way I read the Privacy Rule, a plan sponsor
that self-insures will always bear the ultimate responsibility for complying
with the Privacy Rule and will not be treated as functionally equivalent to a
plan sponsor that insures benefits, even if the self-insuring plan sponsor
contracts out all functions involving PHI.
Nevertheless, I agree with you that conduct matters
under the Privacy Rule. All other things being equal, the actual
compliance burdens of a plan sponsor that contracts out functions will be
considerably less than one that performs all administration
in-house.
Thanks for your comments.
John
- Original Message -
From:
[EMAIL PROTECTED]
To: WEDI SNIP Privacy Workgroup List
Sent: Thursday, March 13, 2003 12:17
PM
Subject: Re: Self insured health plans
NPP
John,Thanks for the great analysis on the
terminology differences between ERISA and HIPAA and the HIPAA
implications. I agree that self-insured health plans get stuck with all
the HIPAA requirements, but wonder the extent to which compliance details
could be jobbed out to a TPA business associate.Such health plans may
wish to avoid preparing and training staff on extensive policies and
procedures when for all practical purposes they don't see or maintain PHI
except enrollment data in their plan sponsor roles. The preamble to the
revised privacy regulations gives the plan a reduced set of requirements under
an "insurance contract" when the carrier performs these functions. Could
the same guidance apply if the TPA does all the heavy
lifting?Following is the language from the preamble:"Group
health plans, to the extent they provide health benefits only through an
insurance contract with a health insurance issuer or HMO and do not create,
receive, or maintain protected health information (except for summary
information or enrollment and disenrollment information), are not required to
comply with the requirements of §§ 164.520 or 164.530, except for the
documentation requirements of § 164.530(j). In addition, because the group
health plan does not have access to protected health information, the
requirements of §§ 164.524, 164.526, and 164.528 are not applicable.
Individuals enrolled in a group health plan that provides benefits only
through an insurance contract with a health insurance issuer or HMO would have
access to all rights provided by this regulation through the health insurance
issuer or HMO, because they are covered entities in their own
right."--John---Original message---Hi, David
and Bonnie.It's important to keep two terms distinct: "plan
administration functions"(which is a Privacy Rule term) and "plan
administrator" (which is an ERISAterm).The plan administrator
(which, under ERISA, is the plan sponsor unless theplan document says
otherwise) has certain reporting and disclosure functionsassigned to it by
ERISA. The plan administrator may also be (but need notbe) the named
fiduciary for purposes of the claims adjudication proceduresthat a group
health plan is required to have under ERISA."Plan administration
functions" is a poorly defined term in the PrivacyRule. What it
appears to signify is performing those functions that make aplan a covered
entity--i.e., doing things that require working with PHI.Is the ERISA
plan administrator necessarily a person who perform planadministration
functions?No. So long as the ERISA plan administrator is not
also the named fiduciaryfor purposes of claims administration, it does not
necessarily perform planadministration functions on account of the jobs
assigned to it by ERISA.That is because the jobs assigned to it under
ERISA may be performed on thebasis of summary health information received
and used for plan designpurposes (permitted under the Privacy Rule) or
eligibility and enrollmentinformation (also permitted under the Privacy
Rule).An ERISA plan administrator will perform plan administration
functions,however, where it is also the named fiduciary for claims
adjudicationpurposes, i.e., the person who has to receive all the PHI
relevant to makingclaims decisions.In addition, where a plan is
self-insured, the plan sponsor will ALWAYS beassigned the full gamut of
responsibilities under the Privacy Rule, withoutregard to whether the plan
sponsor contracts those functions out to a thirdparty.Thus, for
example, if you are a self-insured plan and you contract outEVERYTHING to
a third party administrator ("TPA"), you are not spared ANY ofthe
requirements of the Privacy Rule. You must still prepare and
distributean NPP to your participants and satisfy all of the Privacy
Rule'sadministrative requirements.In the case of the self-insured
group health plan maintained by yourhospital for its employees, all of the
pro
