John, Thank you for your prompt and thorough response. You helped clarify and validate what I thought was correct.
The company that I made reference is a BA, not a CE. The BA does have an employee onsite that acts as a liaison between the PEO and the company for most of the HR functions. This includes assisting with enrollment functions AND, until our review, assisting employees with their health claim problems. Since their health benefits were put up for bid, the enrollment forms included a medical history questionnaire. This questionnaire was collected by the liaison and forwarded to the PEO as part of the enrollment forms. However, a copy was also maintained onsite. The end result was that their medical benefits changed from a self-insured GHP to a fully insured plan for medical but their dental GHP was going to remain self-insured. One of our recommendations to this company was to reassess, i.e., risk assess, whether the company wanted the liaison to continue with providing this level of assistance to its employees and thereby requiring changes to their SPD and a greater responsibility under the Privacy Rule. Per our feedback, they chose not to. Additionally, we recommended to the company that the liaison separate the personnel file documents from any GHP documents and to destroy the copies of the questionnaires. As to your question, interestingly, the PEO had made no contact with this company in regard to a BA agreement, assessing the functions the liaison was performing, what the PEO was expecting to do as far as issuing the NPP (since dental is still self-insured) or HIPAA training in general. What I have found is that not everything is what you think it is when you approach each type of entity (CE, BA, or Employer). There are always twists and turns and surprises that need to be considered in each particular situation. Sue Confidentiality Notice: This email message, includng any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact Hazen Group, Inc. at (317) 849-6065 and destroy all copies of the original message. Sue Ryan, RN, MPS Consultant Hazen Group, Inc. Phone: (315) 468-2603 Fax: (315) 487-0153 ----- Original Message ----- From: "John J. D'Amato" <[EMAIL PROTECTED]> To: "Sue Ryan" <[EMAIL PROTECTED]>; "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Sent: Thursday, March 13, 2003 10:20 PM Subject: Re: Self insured health plans & NPP > Hi, Sue. > > What I meant by my comment is that a group health plan's relationship to a > health insurance issuer and its relationship to a TPA are associated with > radically different legal responsibilities under the Privacy Rule, even > where the two relationships are functionally equivalent. This is sometimes > disconcerting to self-insuring clients who believe that by contracting out > functions to a TPA, they ought to be relieved of responsibilities under the > Privacy Rule. > > But you have raised a different fact pattern. I take it that you are > referring to the situation in which an employer contracts with an employee > leasing or similar company. In such a situation, the recipient of the > services of the employees (your organization) is not the employer of record, > and the leased employees receive benefits under plans sponsored and > maintained by the leasing company, not by the recipient of the services. > > If that is your situation, then I would agree with you that the plan sponsor > is not your company, but the leasing company, and the Privacy Rule burdens > fall on that company and its group health plan, not on your company. Those > burdens would include providing or maintaining an NPP (to the extent that > benefits are self-insured or the PEO receives or creates PHI beyond summary > health or enrollment information). > > Nevertheless, I think you should think carefully about how the Privacy Rule > may affect your company. Are there individuals who are employed by your > company (not the PEO) and who deal with the PEO regarding health plan > matters? If so, then those individuals will be members of the health plan's > "workforce" (even though they are your employees) and will require Privacy > Rule training, etc. > > In particular, if your company (or the PEO) sponsors an EAP, consider how > the flow of information works from management personnel in your company to > the EAP and back. You will want to insure that safeguards are in place with > respect to the confidentiality of this information and to make sure that you > (or the PEO, if it is a PEO plan) obtain whatever authorizations will be > required to monitor the satisfactory completion of treatment by an > individual referred to EAP. > > Out of curiosity, is the PEO requiring your company to enter into a BA > agreement with it? > > Hope this helps. > John > redhipaa.com (coming soon) > > > John, > > > > In your explanation, you state that "if you are a self-insured plan and > you > > contract out EVERYTHING to a third party administrator ("TPA"), you are > not > > spared ANY of the requirements of the Privacy Rule. You must still > prepare > > and distribute an NPP to your participants and satisfy all of the Privacy > > Rule's > > administrative requirements." > > > > Does this apply if you have contracted out your HR function to a PEO > > (Professional Employer Organ.) that includes the administratio of the > > benefit plans (health & dental) and the PEO is identified as the plan > > sponsor / administrator of the group health/dental plans? Can the PEO > > develop and distribute the NPP to the participants (employees)? Thank > you, > > Sue > > > > Confidentiality Notice: This email message, includng any attachments, is > for > > the sole use of the intended recipient(s) and may contain confidential and > > privileged information. Any unauthorized review, use, disclosure or > > distribution is prohibited. If you are not the intended recipient, please > > contact Hazen Group, Inc. at (317) 849-6065 and destroy all copies of the > > original message. > > > > Sue Ryan, RN, MPS > > Consultant > > Hazen Group, Inc. > > Phone: (315) 468-2603 > > Fax: (315) 487-0153 > > ----- Original Message ----- > > From: "John J. D'Amato" <[EMAIL PROTECTED]> > > To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> > > Sent: Thursday, March 13, 2003 1:48 PM > > Subject: Re: Self insured health plans & NPP > > > > > > > Hi, David and Bonnie. > > > > > > It's important to keep two terms distinct: "plan administration > > functions" > > > (which is a Privacy Rule term) and "plan administrator" (which is an > ERISA > > > term). > > > > > > The plan administrator (which, under ERISA, is the plan sponsor unless > the > > > plan document says otherwise) has certain reporting and disclosure > > functions > > > assigned to it by ERISA. The plan administrator may also be (but need > not > > > be) the named fiduciary for purposes of the claims adjudication > procedures > > > that a group health plan is required to have under ERISA. > > > > > > "Plan administration functions" is a poorly defined term in the Privacy > > > Rule. What it appears to signify is performing those functions that > make > > a > > > plan a covered entity--i.e., doing things that require working with PHI. > > > > > > Is the ERISA plan administrator necessarily a person who perform plan > > > administration functions? > > > > > > No. So long as the ERISA plan administrator is not also the named > > fiduciary > > > for purposes of claims administration, it does not necessarily perform > > plan > > > administration functions on account of the jobs assigned to it by ERISA. > > > That is because the jobs assigned to it under ERISA may be performed on > > the > > > basis of summary health information received and used for plan design > > > purposes (permitted under the Privacy Rule) or eligibility and > enrollment > > > information (also permitted under the Privacy Rule). > > > > > > An ERISA plan administrator will perform plan administration functions, > > > however, where it is also the named fiduciary for claims adjudication > > > purposes, i.e., the person who has to receive all the PHI relevant to > > making > > > claims decisions. > > > > > > In addition, where a plan is self-insured, the plan sponsor will ALWAYS > be > > > assigned the full gamut of responsibilities under the Privacy Rule, > > without > > > regard to whether the plan sponsor contracts those functions out to a > > third > > > party. > > > > > > Thus, for example, if you are a self-insured plan and you contract out > > > EVERYTHING to a third party administrator ("TPA"), you are not spared > ANY > > of > > > the requirements of the Privacy Rule. You must still prepare and > > distribute > > > an NPP to your participants and satisfy all of the Privacy Rule's > > > administrative requirements. > > > > > > In the case of the self-insured group health plan maintained by your > > > hospital for its employees, all of the provisions of the Privacy Rule > will > > > apply. > > > > > > However, your hospital and the group health plan may (and probably do) > > have > > > different compliance dates. The compliance date for health care > providers > > > is the first date of service after April 14, 2003. The compliance date > > for > > > health plans (including group health plans) is April 14, 2003 for large > > > plans and April 14, 2004 for small plans. A "large plan" is one that > has > > > "receipts" (i.e., pays premiums in the case of an insured plan or > provides > > > benefits in the case of a self-insured plan) of $5,000,000 or more > > annually. > > > A "small plan" is one that has annual receipts of less than $5,000,000. > > > > > > Hope this helps. > > > > > > John D'Amato > > > redHIPAA.com (coming soon) > > > > > > ----- Original Message ----- > > > From: "David Blasi" <[EMAIL PROTECTED]> > > > To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> > > > Sent: Thursday, March 13, 2003 3:51 AM > > > Subject: Re: Self insured health plans & NPP > > > > > > > > > > Without going into a lot of discussion about the difference between > the > > > > plan sponsor and plan administrator activities, the plan administrator > > > > is responsible for this. If you are also the plan administrator, than > > > > you have both responsibilities. Your SPD should state who is the > plan > > > > administrator for easy reference. > > > > > > > > >>> <[EMAIL PROTECTED]> 03/13/03 07:40AM >>> > > > > We are an acute care hospital providing health insurance to our > > > > employees > > > > as a self-insured plan. As the plan sponsor we are required to amend > > > > our > > > > group health plan document to comply with HIPAA. Are we also > > > > responsible > > > > for drafting and providing to our employees a Notice of Privacy > > > > Practice, > > > > or is that the responsibility of the health plan? > > > > > > > > Bonnie R Millman > > > > Privacy Coordinator > > > > Bayhealth Medical Center > > > > 640 South State Street > > > > Dover, Delaware 19901 > > > > > > > > 302-744-6728 > > > > > > > > > > > > > > > > ______________________________________________________________________ > > > > CONFIDENTIALITY NOTICE: The information contained in this e-mail > > > > message > > > > and any attachment(s) is intended only for > > > > the confidential use of the intended recipient(s) named above. This > > > > e-mail message and any attachment(s) may contain > > > > confidential health information or other confidential information that > > > > is > > > > legally privileged and exempt from disclosure under > > > > applicable law. If the reader of this e-mail message is not the > > > > intended > > > > recipient or the employee agent responsible for > > > > delivering it to the intended recipient, you should be aware that any > > > > dissemination, distribution, copying or action taken in > > > > reliance on the content of this e-mail message or any attachment(s) > > > > is > > > > strictly prohibited. If this e-mail has been received > > > > in error, please notify us immediately via e-mail at > > > > [EMAIL PROTECTED] and delete or otherwise destroy the > > > > original message, any attachment(s) and copies. Thank you for your > > > > cooperation. > > > > > > > > > > > > --- > > > > The WEDI SNIP listserv to which you are subscribed is not moderated. > > > > The discussions on this listserv therefore represent the views of the > > > > individual participants, and do not necessarily represent the views of > > > > the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an > > > > official opinion, post your question to the WEDI SNIP Issues Database > at > > > > http://snip.wedi.org/tracking/. These listservs should not be used > for > > > > commercial marketing purposes or discussion of specific vendor > products > > > > and services. They also are not intended to be used as a forum for > > > > personal disagreements or unprofessional communication at any time. > > > > > > > > You are currently subscribed to wedi-privacy as: > > > > [EMAIL PROTECTED] > > > > To unsubscribe from this list, go to the Subscribe/Unsubscribe form at > > > > http://subscribe.wedi.org or send a blank email to > > > > [EMAIL PROTECTED] > > > > If you need to unsubscribe but your current email address is not the > > > > same as the address subscribed to the list, please use the > > > > Subscribe/Unsubscribe form at http://subscribe.wedi.org > > > > > > > > > > > > > > > > --- > > > > The WEDI SNIP listserv to which you are subscribed is not moderated. > The > > > discussions on this listserv therefore represent the views of the > > individual > > > participants, and do not necessarily represent the views of the WEDI > Board > > > of Directors nor WEDI SNIP. If you wish to receive an official opinion, > > post > > > your question to the WEDI SNIP Issues Database at > > > http://snip.wedi.org/tracking/. These listservs should not be used for > > > commercial marketing purposes or discussion of specific vendor products > > and > > > services. They also are not intended to be used as a forum for personal > > > disagreements or unprofessional communication at any time. > > > > > > > > You are currently subscribed to wedi-privacy as: > > > [EMAIL PROTECTED] > > > > To unsubscribe from this list, go to the Subscribe/Unsubscribe form at > > > http://subscribe.wedi.org or send a blank email to > > > [EMAIL PROTECTED] > > > > If you need to unsubscribe but your current email address is not the > > same > > > as the address subscribed to the list, please use the > > Subscribe/Unsubscribe > > > form at http://subscribe.wedi.org > > > > > > > > > > > > --- > > > The WEDI SNIP listserv to which you are subscribed is not moderated. The > > discussions on this listserv therefore represent the views of the > individual > > participants, and do not necessarily represent the views of the WEDI Board > > of Directors nor WEDI SNIP. If you wish to receive an official opinion, > post > > your question to the WEDI SNIP Issues Database at > > http://snip.wedi.org/tracking/. These listservs should not be used for > > commercial marketing purposes or discussion of specific vendor products > and > > services. They also are not intended to be used as a forum for personal > > disagreements or unprofessional communication at any time. > > > > > > You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] > > > To unsubscribe from this list, go to the Subscribe/Unsubscribe form at > > http://subscribe.wedi.org or send a blank email to > > [EMAIL PROTECTED] > > > If you need to unsubscribe but your current email address is not the > same > > as the address subscribed to the list, please use the > Subscribe/Unsubscribe > > form at http://subscribe.wedi.org > > > > > > --- > > The WEDI SNIP listserv to which you are subscribed is not moderated. The > discussions on this listserv therefore represent the views of the individual > participants, and do not necessarily represent the views of the WEDI Board > of Directors nor WEDI SNIP. If you wish to receive an official opinion, post > your question to the WEDI SNIP Issues Database at > http://snip.wedi.org/tracking/. These listservs should not be used for > commercial marketing purposes or discussion of specific vendor products and > services. They also are not intended to be used as a forum for personal > disagreements or unprofessional communication at any time. > > > > You are currently subscribed to wedi-privacy as: > [EMAIL PROTECTED] > > To unsubscribe from this list, go to the Subscribe/Unsubscribe form at > http://subscribe.wedi.org or send a blank email to > [EMAIL PROTECTED] > > If you need to unsubscribe but your current email address is not the same > as the address subscribed to the list, please use the Subscribe/Unsubscribe > form at http://subscribe.wedi.org > > > > --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org