John,
Thank you for your prompt and thorough response. You helped clarify and
validate what I thought was correct.
The company that I made reference is a BA, not a CE. The BA does have an
employee onsite that acts as a liaison between the PEO and the company for
most of the HR functions. This includes assisting with enrollment functions
AND, until our review, assisting employees with their health claim problems.
Since their health benefits were put up for bid, the enrollment forms
included a medical history questionnaire. This questionnaire was collected
by the liaison and forwarded to the PEO as part of the enrollment forms.
However, a copy was also maintained onsite. The end result was that their
medical benefits changed from a self-insured GHP to a fully insured plan for
medical but their dental GHP was going to remain self-insured.
One of our recommendations to this company was to reassess, i.e., risk
assess, whether the company wanted the liaison to continue with providing
this level of assistance to its employees and thereby requiring changes to
their SPD and a greater responsibility under the Privacy Rule. Per our
feedback, they chose not to. Additionally, we recommended to the company
that the liaison separate the personnel file documents from any GHP
documents and to destroy the copies of the questionnaires.
As to your question, interestingly, the PEO had made no contact with this
company in regard to a BA agreement, assessing the functions the liaison was
performing, what the PEO was expecting to do as far as issuing the NPP
(since dental is still self-insured) or HIPAA training in general.
What I have found is that not everything is what you think it is when you
approach each type of entity (CE, BA, or Employer). There are always twists
and turns and surprises that need to be considered in each particular
situation. Sue
Confidentiality Notice: This email message, includng any attachments, is for
the sole use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact Hazen Group, Inc. at (317) 849-6065 and destroy all copies of the
original message.
Sue Ryan, RN, MPS
Consultant
Hazen Group, Inc.
Phone: (315) 468-2603
Fax: (315) 487-0153
----- Original Message -----
From: "John J. D'Amato" <[EMAIL PROTECTED]>
To: "Sue Ryan" <[EMAIL PROTECTED]>; "WEDI SNIP Privacy Workgroup List"
<[EMAIL PROTECTED]>
Sent: Thursday, March 13, 2003 10:20 PM
Subject: Re: Self insured health plans & NPP
> Hi, Sue.
>
> What I meant by my comment is that a group health plan's relationship to a
> health insurance issuer and its relationship to a TPA are associated with
> radically different legal responsibilities under the Privacy Rule, even
> where the two relationships are functionally equivalent. This is
sometimes
> disconcerting to self-insuring clients who believe that by contracting out
> functions to a TPA, they ought to be relieved of responsibilities under
the
> Privacy Rule.
>
> But you have raised a different fact pattern. I take it that you are
> referring to the situation in which an employer contracts with an employee
> leasing or similar company. In such a situation, the recipient of the
> services of the employees (your organization) is not the employer of
record,
> and the leased employees receive benefits under plans sponsored and
> maintained by the leasing company, not by the recipient of the services.
>
> If that is your situation, then I would agree with you that the plan
sponsor
> is not your company, but the leasing company, and the Privacy Rule burdens
> fall on that company and its group health plan, not on your company.
Those
> burdens would include providing or maintaining an NPP (to the extent that
> benefits are self-insured or the PEO receives or creates PHI beyond
summary
> health or enrollment information).
>
> Nevertheless, I think you should think carefully about how the Privacy
Rule
> may affect your company. Are there individuals who are employed by your
> company (not the PEO) and who deal with the PEO regarding health plan
> matters? If so, then those individuals will be members of the health
plan's
> "workforce" (even though they are your employees) and will require Privacy
> Rule training, etc.
>
> In particular, if your company (or the PEO) sponsors an EAP, consider how
> the flow of information works from management personnel in your company to
> the EAP and back. You will want to insure that safeguards are in place
with
> respect to the confidentiality of this information and to make sure that
you
> (or the PEO, if it is a PEO plan) obtain whatever authorizations will be
> required to monitor the satisfactory completion of treatment by an
> individual referred to EAP.
>
> Out of curiosity, is the PEO requiring your company to enter into a BA
> agreement with it?
>
> Hope this helps.
> John
> redhipaa.com (coming soon)
>
> > John,
> >
> > In your explanation, you state that "if you are a self-insured plan and
> you
> > contract out EVERYTHING to a third party administrator ("TPA"), you are
> not
> > spared ANY of the requirements of the Privacy Rule. You must still
> prepare
> > and distribute an NPP to your participants and satisfy all of the
Privacy
> > Rule's
> > administrative requirements."
> >
> > Does this apply if you have contracted out your HR function to a PEO
> > (Professional Employer Organ.) that includes the administratio of the
> > benefit plans (health & dental) and the PEO is identified as the plan
> > sponsor / administrator of the group health/dental plans? Can the PEO
> > develop and distribute the NPP to the participants (employees)? Thank
> you,
> > Sue
> >
> > Confidentiality Notice: This email message, includng any attachments, is
> for
> > the sole use of the intended recipient(s) and may contain confidential
and
> > privileged information. Any unauthorized review, use, disclosure or
> > distribution is prohibited. If you are not the intended recipient,
please
> > contact Hazen Group, Inc. at (317) 849-6065 and destroy all copies of
the
> > original message.
> >
> > Sue Ryan, RN, MPS
> > Consultant
> > Hazen Group, Inc.
> > Phone: (315) 468-2603
> > Fax: (315) 487-0153
> > ----- Original Message -----
> > From: "John J. D'Amato" <[EMAIL PROTECTED]>
> > To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
> > Sent: Thursday, March 13, 2003 1:48 PM
> > Subject: Re: Self insured health plans & NPP
> >
> >
> > > Hi, David and Bonnie.
> > >
> > > It's important to keep two terms distinct: "plan administration
> > functions"
> > > (which is a Privacy Rule term) and "plan administrator" (which is an
> ERISA
> > > term).
> > >
> > > The plan administrator (which, under ERISA, is the plan sponsor unless
> the
> > > plan document says otherwise) has certain reporting and disclosure
> > functions
> > > assigned to it by ERISA. The plan administrator may also be (but need
> not
> > > be) the named fiduciary for purposes of the claims adjudication
> procedures
> > > that a group health plan is required to have under ERISA.
> > >
> > > "Plan administration functions" is a poorly defined term in the
Privacy
> > > Rule. What it appears to signify is performing those functions that
> make
> > a
> > > plan a covered entity--i.e., doing things that require working with
PHI.
> > >
> > > Is the ERISA plan administrator necessarily a person who perform plan
> > > administration functions?
> > >
> > > No. So long as the ERISA plan administrator is not also the named
> > fiduciary
> > > for purposes of claims administration, it does not necessarily perform
> > plan
> > > administration functions on account of the jobs assigned to it by
ERISA.
> > > That is because the jobs assigned to it under ERISA may be performed
on
> > the
> > > basis of summary health information received and used for plan design
> > > purposes (permitted under the Privacy Rule) or eligibility and
> enrollment
> > > information (also permitted under the Privacy Rule).
> > >
> > > An ERISA plan administrator will perform plan administration
functions,
> > > however, where it is also the named fiduciary for claims adjudication
> > > purposes, i.e., the person who has to receive all the PHI relevant to
> > making
> > > claims decisions.
> > >
> > > In addition, where a plan is self-insured, the plan sponsor will
ALWAYS
> be
> > > assigned the full gamut of responsibilities under the Privacy Rule,
> > without
> > > regard to whether the plan sponsor contracts those functions out to a
> > third
> > > party.
> > >
> > > Thus, for example, if you are a self-insured plan and you contract out
> > > EVERYTHING to a third party administrator ("TPA"), you are not spared
> ANY
> > of
> > > the requirements of the Privacy Rule. You must still prepare and
> > distribute
> > > an NPP to your participants and satisfy all of the Privacy Rule's
> > > administrative requirements.
> > >
> > > In the case of the self-insured group health plan maintained by your
> > > hospital for its employees, all of the provisions of the Privacy Rule
> will
> > > apply.
> > >
> > > However, your hospital and the group health plan may (and probably
do)
> > have
> > > different compliance dates. The compliance date for health care
> providers
> > > is the first date of service after April 14, 2003. The compliance
date
> > for
> > > health plans (including group health plans) is April 14, 2003 for
large
> > > plans and April 14, 2004 for small plans. A "large plan" is one that
> has
> > > "receipts" (i.e., pays premiums in the case of an insured plan or
> provides
> > > benefits in the case of a self-insured plan) of $5,000,000 or more
> > annually.
> > > A "small plan" is one that has annual receipts of less than
$5,000,000.
> > >
> > > Hope this helps.
> > >
> > > John D'Amato
> > > redHIPAA.com (coming soon)
> > >
> > > ----- Original Message -----
> > > From: "David Blasi" <[EMAIL PROTECTED]>
> > > To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
> > > Sent: Thursday, March 13, 2003 3:51 AM
> > > Subject: Re: Self insured health plans & NPP
> > >
> > >
> > > > Without going into a lot of discussion about the difference between
> the
> > > > plan sponsor and plan administrator activities, the plan
administrator
> > > > is responsible for this. If you are also the plan administrator,
than
> > > > you have both responsibilities. Your SPD should state who is the
> plan
> > > > administrator for easy reference.
> > > >
> > > > >>> <[EMAIL PROTECTED]> 03/13/03 07:40AM >>>
> > > > We are an acute care hospital providing health insurance to our
> > > > employees
> > > > as a self-insured plan. As the plan sponsor we are required to
amend
> > > > our
> > > > group health plan document to comply with HIPAA. Are we also
> > > > responsible
> > > > for drafting and providing to our employees a Notice of Privacy
> > > > Practice,
> > > > or is that the responsibility of the health plan?
> > > >
> > > > Bonnie R Millman
> > > > Privacy Coordinator
> > > > Bayhealth Medical Center
> > > > 640 South State Street
> > > > Dover, Delaware 19901
> > > >
> > > > 302-744-6728
> > > >
> > > >
> > > >
> > > >
______________________________________________________________________
> > > > CONFIDENTIALITY NOTICE: The information contained in this e-mail
> > > > message
> > > > and any attachment(s) is intended only for
> > > > the confidential use of the intended recipient(s) named above.
This
> > > > e-mail message and any attachment(s) may contain
> > > > confidential health information or other confidential information
that
> > > > is
> > > > legally privileged and exempt from disclosure under
> > > > applicable law. If the reader of this e-mail message is not the
> > > > intended
> > > > recipient or the employee agent responsible for
> > > > delivering it to the intended recipient, you should be aware that
any
> > > > dissemination, distribution, copying or action taken in
> > > > reliance on the content of this e-mail message or any attachment(s)
> > > > is
> > > > strictly prohibited. If this e-mail has been received
> > > > in error, please notify us immediately via e-mail at
> > > > [EMAIL PROTECTED] and delete or otherwise destroy the
> > > > original message, any attachment(s) and copies. Thank you for your
> > > > cooperation.
> > > >
> > > >
> > > > ---
> > > > The WEDI SNIP listserv to which you are subscribed is not moderated.
> > > > The discussions on this listserv therefore represent the views of
the
> > > > individual participants, and do not necessarily represent the views
of
> > > > the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
> > > > official opinion, post your question to the WEDI SNIP Issues
Database
> at
> > > > http://snip.wedi.org/tracking/. These listservs should not be used
> for
> > > > commercial marketing purposes or discussion of specific vendor
> products
> > > > and services. They also are not intended to be used as a forum for
> > > > personal disagreements or unprofessional communication at any time.
> > > >
> > > > You are currently subscribed to wedi-privacy as:
> > > > [EMAIL PROTECTED]
> > > > To unsubscribe from this list, go to the Subscribe/Unsubscribe form
at
> > > > http://subscribe.wedi.org or send a blank email to
> > > > [EMAIL PROTECTED]
> > > > If you need to unsubscribe but your current email address is not the
> > > > same as the address subscribed to the list, please use the
> > > > Subscribe/Unsubscribe form at http://subscribe.wedi.org
> > > >
> > > >
> > > >
> > > > ---
> > > > The WEDI SNIP listserv to which you are subscribed is not moderated.
> The
> > > discussions on this listserv therefore represent the views of the
> > individual
> > > participants, and do not necessarily represent the views of the WEDI
> Board
> > > of Directors nor WEDI SNIP. If you wish to receive an official
opinion,
> > post
> > > your question to the WEDI SNIP Issues Database at
> > > http://snip.wedi.org/tracking/. These listservs should not be used
for
> > > commercial marketing purposes or discussion of specific vendor
products
> > and
> > > services. They also are not intended to be used as a forum for
personal
> > > disagreements or unprofessional communication at any time.
> > > >
> > > > You are currently subscribed to wedi-privacy as:
> > > [EMAIL PROTECTED]
> > > > To unsubscribe from this list, go to the Subscribe/Unsubscribe form
at
> > > http://subscribe.wedi.org or send a blank email to
> > > [EMAIL PROTECTED]
> > > > If you need to unsubscribe but your current email address is not the
> > same
> > > as the address subscribed to the list, please use the
> > Subscribe/Unsubscribe
> > > form at http://subscribe.wedi.org
> > >
> > >
> > >
> > > ---
> > > The WEDI SNIP listserv to which you are subscribed is not moderated.
The
> > discussions on this listserv therefore represent the views of the
> individual
> > participants, and do not necessarily represent the views of the WEDI
Board
> > of Directors nor WEDI SNIP. If you wish to receive an official opinion,
> post
> > your question to the WEDI SNIP Issues Database at
> > http://snip.wedi.org/tracking/. These listservs should not be used for
> > commercial marketing purposes or discussion of specific vendor products
> and
> > services. They also are not intended to be used as a forum for personal
> > disagreements or unprofessional communication at any time.
> > >
> > > You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
> > > To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
> > http://subscribe.wedi.org or send a blank email to
> > [EMAIL PROTECTED]
> > > If you need to unsubscribe but your current email address is not the
> same
> > as the address subscribed to the list, please use the
> Subscribe/Unsubscribe
> > form at http://subscribe.wedi.org
> >
> >
> > ---
> > The WEDI SNIP listserv to which you are subscribed is not moderated. The
> discussions on this listserv therefore represent the views of the
individual
> participants, and do not necessarily represent the views of the WEDI Board
> of Directors nor WEDI SNIP. If you wish to receive an official opinion,
post
> your question to the WEDI SNIP Issues Database at
> http://snip.wedi.org/tracking/. These listservs should not be used for
> commercial marketing purposes or discussion of specific vendor products
and
> services. They also are not intended to be used as a forum for personal
> disagreements or unprofessional communication at any time.
> >
> > You are currently subscribed to wedi-privacy as:
> [EMAIL PROTECTED]
> > To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
> http://subscribe.wedi.org or send a blank email to
> [EMAIL PROTECTED]
> > If you need to unsubscribe but your current email address is not the
same
> as the address subscribed to the list, please use the
Subscribe/Unsubscribe
> form at http://subscribe.wedi.org
> >
>
>
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions
on this listserv therefore represent the views of the individual participants, and do
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If
you wish to receive an official opinion, post your question to the WEDI SNIP Issues
Database at http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and services.
They also are not intended to be used as a forum for personal disagreements or
unprofessional communication at any time.
You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the
address subscribed to the list, please use the Subscribe/Unsubscribe form at
http://subscribe.wedi.org
