Hi, John.
The way I read the Privacy Rule, a plan sponsor
that self-insures will always bear the ultimate responsibility for complying
with the Privacy Rule and will not be treated as functionally equivalent to a
plan sponsor that insures benefits, even if the self-insuring plan sponsor
contracts out all functions involving PHI.
Nevertheless, I agree with you that conduct matters
under the Privacy Rule. All other things being equal, the actual
compliance burdens of a plan sponsor that contracts out functions will be
considerably less than one that performs all administration
in-house.
Thanks for your comments.
John
----- Original Message -----
Sent: Thursday, March 13, 2003 12:17
PM
Subject: Re: Self insured health plans
& NPP
John,
Thanks for the great analysis on the
terminology differences between ERISA and HIPAA and the HIPAA
implications. I agree that self-insured health plans get stuck with all
the HIPAA requirements, but wonder the extent to which compliance details
could be jobbed out to a TPA business associate.
Such health plans may
wish to avoid preparing and training staff on extensive policies and
procedures when for all practical purposes they don't see or maintain PHI
except enrollment data in their plan sponsor roles. The preamble to the
revised privacy regulations gives the plan a reduced set of requirements under
an "insurance contract" when the carrier performs these functions. Could
the same guidance apply if the TPA does all the heavy
lifting?
Following is the language from the preamble:
"Group
health plans, to the extent they provide health benefits only through an
insurance contract with a health insurance issuer or HMO and do not create,
receive, or maintain protected health information (except for summary
information or enrollment and disenrollment information), are not required to
comply with the requirements of §§ 164.520 or 164.530, except for the
documentation requirements of § 164.530(j). In addition, because the group
health plan does not have access to protected health information, the
requirements of §§ 164.524, 164.526, and 164.528 are not applicable.
Individuals enrolled in a group health plan that provides benefits only
through an insurance contract with a health insurance issuer or HMO would have
access to all rights provided by this regulation through the health insurance
issuer or HMO, because they are covered entities in their own
right."
--John
---Original message---
Hi, David
and Bonnie.
It's important to keep two terms distinct: "plan
administration functions" (which is a Privacy Rule term) and "plan
administrator" (which is an ERISA term).
The plan administrator
(which, under ERISA, is the plan sponsor unless the plan document says
otherwise) has certain reporting and disclosure functions assigned to it by
ERISA. The plan administrator may also be (but need not be) the named
fiduciary for purposes of the claims adjudication procedures that a group
health plan is required to have under ERISA.
"Plan administration
functions" is a poorly defined term in the Privacy Rule. What it
appears to signify is performing those functions that make a plan a covered
entity--i.e., doing things that require working with PHI.
Is the ERISA
plan administrator necessarily a person who perform plan administration
functions?
No. So long as the ERISA plan administrator is not
also the named fiduciary for purposes of claims administration, it does not
necessarily perform plan administration functions on account of the jobs
assigned to it by ERISA. That is because the jobs assigned to it under
ERISA may be performed on the basis of summary health information received
and used for plan design purposes (permitted under the Privacy Rule) or
eligibility and enrollment information (also permitted under the Privacy
Rule).
An ERISA plan administrator will perform plan administration
functions, however, where it is also the named fiduciary for claims
adjudication purposes, i.e., the person who has to receive all the PHI
relevant to making claims decisions.
In addition, where a plan is
self-insured, the plan sponsor will ALWAYS be assigned the full gamut of
responsibilities under the Privacy Rule, without regard to whether the plan
sponsor contracts those functions out to a third party.
Thus, for
example, if you are a self-insured plan and you contract out EVERYTHING to
a third party administrator ("TPA"), you are not spared ANY of the
requirements of the Privacy Rule. You must still prepare and
distribute an NPP to your participants and satisfy all of the Privacy
Rule's administrative requirements.
In the case of the self-insured
group health plan maintained by your hospital for its employees, all of the
provisions of the Privacy Rule will apply.
However, your hospital
and the group health plan may (and probably do) have different compliance
dates. The compliance date for health care providers is the first
date of service after April 14, 2003. The compliance date for health
plans (including group health plans) is April 14, 2003 for large plans and
April 14, 2004 for small plans. A "large plan" is one that
has "receipts" (i.e., pays premiums in the case of an insured plan or
provides benefits in the case of a self-insured plan) of $5,000,000 or more
annually. A "small plan" is one that has annual receipts of less than
$5,000,000.
Hope this helps.
John D'Amato redHIPAA.com
(coming soon)
--- The WEDI SNIP listserv to which you are
subscribed is not moderated. The discussions on this listserv therefore
represent the views of the individual participants, and do not necessarily
represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish
to receive an official opinion, post your question to the WEDI SNIP Issues
Database at http://snip.wedi.org/tracking/. These listservs should not be used
for commercial marketing purposes or discussion of specific vendor products
and services. They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.
You are
currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To
unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED] If you need to unsubscribe but
your current email address is not the same as the address subscribed to the
list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
|