Which HIPAA requirements apply to us?

Half HRHalf HR 47 Posts
in HR & Employment Law Vote Up0Vote Down
I'm trying to figure out exactly which HIPAA requirements we'll have to comply with. We've bought a kit online, but much of the info seems to apply to doctor's offices or self-insured employers. We're a government agency with over 50 employees.

We're fully insured, but we do require pre-employment physicals and maintain a confidential medical file on each of our employees. Disability claims and FMLA documents also contain health information.

Can anyone help me sort out what we have to do? What do we do and what should come from our insurance companies?

Thanks much,
Half HR
Share on Facebook Share on Twitter

Comments

  • 8 Comments sorted by Votes Date Added
  • mushroomHRmushroomHR 583 Posts
    PMVote Up0Vote Down
    If you are fully insured through your insurance carrier and you get no protected health information (PHI) from them you should not have to comply with HIPAA. Information you get in the normal course of business for workers' comp., FMLA, ADA, disability, drug testing, etc. is not protected health information but is individually identifiable health information (IIHI) and not subject to HIPAA. In otherwords, information you get about a person's medical condition on behalf of your insurance plan is protected health information and you would have to be compliant with HIPAA; if you get only summary information from your carrier that is not PHI.
    Share on Facebook Share on Twitter
  • Half HRHalf HR 47 Posts
    PMVote Up0Vote Down
    I've seen reference to employers as sponsors of health plans. Can you clarify what that means?

    We administer enrollment and terminations, pay premiums, and very occasionally help with problematic claims, but that's it.

    Are we sponsors of the plan?

    Thanks,
    Half HR



    Share on Facebook Share on Twitter
  • mushroomHRmushroomHR 583 Posts
    PMVote Up0Vote Down
    Yes, you are a plan sponsor but as long as you do not get protected health information from the plan you do not have to comply with HIPAA. If an employee asks for help in resolving a claim and you do get information about that employee's health condition that's OK because they have given their consent for you to be privy to the information. It goes without saying that you would never divulge that information to anyone.

    As long as you do not get information "on behalf of the plan" you're fine. An example would be if you were self-insured and were getting information to pay claims. Then you would be a covered entity and subject to HIPAA. But as long as you are not getting any health information from the carrier you're OK.
    Share on Facebook Share on Twitter
  • E WartE Wart 719 Posts
    PMVote Up0Vote Down
    The final Regs of 2002 contain some significant modifications to the privacy regulations that were issued in December 2000.
    PHI (Private Health Information ) DO NOT INCLUDE the informaiton in employment records held by the covered entity (the Health Plan) in its role as employer. (This like sick leave records or fitness for duty exams.) The regs do not apply to employment functions of a covered entity when acting as an employer. Therefore, "forget about W/C, FMLA, ADA, Disablity, Drug Testing and physicals. These are not PHI, they are information you hold as the role of employer. Just keep in mind that "if information "connects" to group insurance or claims, then it is PHI". If it is employment information, it isn't.
    Also, since you are not self insured, your insurance company has probably done the work for you. I would call your rep there and see what they have done and what you need to do. (You may have some Business Agreements to sign or distribute, depending upon your benefits.)
    E Wart
    Share on Facebook Share on Twitter
  • E WartE Wart 719 Posts
    PMVote Up0Vote Down
    In my answer I just sent, I forgot to address Claims, which are also covered under the final regs. You (even as a covered entity) are not required to obtain written consent before using and disclosing PHI (Private Health Information) as long as it is used ONLY for treatment, payment and healthcare operations purposes. Disclosing for other purposes will require authorization. (This is still PHI, but exempt from the authoization requirement.) However, be careful how you use the informaiton, once you get it.
    E Wart
    Share on Facebook Share on Twitter
  • Half HRHalf HR 47 Posts
    PMVote Up0Vote Down
    Thanks everyone for the information. It's very helpful.

    Just making sure we don't deal with PHI:

    I've seen name, social security number, and address defined as PHI. If we and our insurance companies include that data in our enrollment paperwork and bills, is that considered PHI?

    Thanks,
    Half HR


    Share on Facebook Share on Twitter
  • Half HRHalf HR 47 Posts
    PMVote Up0Vote Down
    Sorry, E Wart, I didn't see your last posting before I wrote my last one. So I guess my question is 1)is name, SSN, address PHI and 2)are we required to obtain consent forms, confidentiality forms, or other types of release forms in order to use it for enrollment and claims?

    Thanks again,
    Half HR
    Share on Facebook Share on Twitter
  • PorkPork 1,271 Posts
    PMVote Up0Vote Down
    half hr: Since you are only half HR can we give you a half answer or response?

    Just kidding, In our world there is no half answer or half response. We are a private company with a full medical benefit plan to which we assist in the application and enrollment process and keep record thereof. We no longer get firectly involved with the processing of claims. We retain the enrollment forms in a medical record file and in a security container in a limited access locked vault. We do not ask for medical information but sometimes it is thrust upon us. It is this last statement that has thrown us into a full admin training session tomorrow morning for everyone in the office who who have access to the office fax machines or mail room.

    I thought we were home free and without an worry. However, our corporate headquarters and our insurance carrier wanted to insure our mail clerk knows what to do with a piece of medical information contained in the physician's communication (a letter) to us about "suez or Billy Bob's" failed payment after being diagnosed with "AIDs" and died before the physician got paid. Even the dead employee is protected and the information revealed by a mistaken or errant piece of communication is no excuse for not HIPAA protecting the document and the information or anything that might resemble fact. The clerk or anyone in the office that might potentially have access to any part of a medical situation must be trained and must exercise correct, "due course", action. Otherwise, the "HIPAA ATTACK DAWGS" WILL BE ABOUT OUR SHOULDERS.

    Take heed and use on "Deet" to prevent West Nile Virus! Do not toss any possibility of covering your company with proper training to some level. Using "Deet" to protect against VNV" is like using a minimum information training program to protect your company from a potential failure. It is a real threat, and we will apply a sensible and information training program with our admin staff about this subject. Even our Accounting Manager will attend and will be tested. I saw a potential medical HIPAA document that she printed this morning which falls in this very category, it was a printed document that broke down the medical claims cost by department and named family member. I did not realize that we accounted for cost to that degree, but we do and when named it became a potential HIPAA document.

    PORK
    Share on Facebook Share on Twitter
Sign In or Register to comment.