Simplifed Training Solutions

Question 1: Does the size of employer matter as to whether or not you are a covered entity? Can you be less than 50 employees and be self-insured and/or fully insured and NOT be a covered entity?

A: The only health benefits plans that are exempt must meet all three criteria in the decision tree found in the reference materials: self-administered, self-funded and less than 50 employees. Under 50 participants includes both those that participate and those that are eligible. There are very few plans that fit that definition, possibly an FSA account.

If you are fully insured, the size of the company has no effect, thus a five person company must comply with a HIPAA privacy program.

Question 2: Can you explain Hands-On in more detail? Can a covered entity decide to not be a covered entity and sign a Hands-Off agreement?

A: If you are self-insured you can not choose Hands-Off. If you are fully insured and only receive summary information, you can choose to implement a Hands-Off position. You have a long list of requirements to meet this option.

If at any time any representatives of a company receives Protected Health Information, even by accident, you must revert to a Hands-On position. We recommend that you adopt a Hands-On position from the start because there is a clearer standard on meeting compliance.

Here is a more complete list of the requirements for Hands-Off (There is an abbreviated list in the Tool Kit PPT presentation):

Understand basics of HIPAA’s Privacy Rule
Although not required, it is recommended that you designate an individual as the plan's chief privacy officer.
If the size of your plan warrants it, you may want to appoint a privacy team to work with the chief privacy officer
Establish well-defined relationship with a Third-Party Administrator (TPA) or Professional Employer Organization (PEO)
Use authorization forms aggressively
Develop policy to refrain from intimidation or retaliatory acts against individuals who submit a complaint, assist an investigation or exercise any privacy rights.
Develop procedures to ensure that you do not require individuals to waive their rights under the HIPAA privacy rule or their rights to file a complaint with the Secretary of HHS as a condition for payment, enrollment in the health plan or eligibility for benefits.
Daft an authorization for health plans and or providers to disclose PHI to the plan.
Develop procedure for verifying the identity and authority of persons requesting disclosure of PHI.
Implement procedures to review all requested authorization to disclose PHI to ensure that the authorizations comply with the HIPAA Privacy Rule
Prepare business associate agreements and get signatures.
Develop procedures to identify all existing and future business associates and incorporate your business associate contract provisions into your contracts with the business associates.
Determine whether the plan must amend plan documents to include the elements mandated by the HIPAA Privacy Rule, including the creation of firewalls between plan administration functions and other employment functions performed by those who administer the plan on behalf of the
employer-sponsor.
Separate health files from employee records
Shred old health information
Determine whether the employer-sponsor of the plan maintains an on-site health clinic. If so, determine whether the clinic is a covered entity and take steps to bring it into compliance with the HIPAA privacy rule if it is covered.

Question 3: Business Associate Agreement: If the employer uses a TPA and a broker, will they need separate BA's with both parties?

A: Yes and we recommend you initiate a BAA and not rely on their BAA agreement. The reason is that their BAA in all likelihood will not include indemnification language or other necessary protection to insure that if they make a mistake, you will have some option of protection for your company in case you get in trouble.

Question 4: Will the employer also need BA agreements with the PPO's, Dental Plans, Voluntary Life Plans, RX companies, EAP organizations, COBRA administrators, UR admin, etc.?
A: PPOs: Not if the PPO has a confidentiality agreement with the TPA then they don't need to have a separate BAA between the employer and the PPO network. Typically the contract is not between the PPO and the employer, but between the PPO and the TPA and the TPA is making that part of their contract.

Dental Plans: yes
Voluntary Life Plans: No, life insurance is not covered by HIPAA
RX: Depends on the situation. Could be the same as the PPO network.
EAP Organizations : Yes
Cobra Administrators: Yes because they are TPAs
Utilization Review Administrators: Typically no because they are going to be under contract with the TPA

Question 5: Do you need to get employee's to sign off that they received the NPP?

A: No

Question 6: Does a notice need to be sent out to employees once every three years notifying them that the notice is available and how they can obtain a copy?

A: No

Question 7: Should the NPP be posted on the employer's web-site if their web-site has health plan information on it?

A: Yes

Question 8: Authorization for Release of PHI: Does this form serve as a signed receipt that the NPP has been distributed?

A: No it serves as a permission slip from the employee that it is all right for an employer to have access to the information.

Question 9: How do you handle the employee's spouse calling in to have help with claims issues? Do you need a release of PHI for them as well?

A: It depends. If the NPP says the company will share health information with the spouse unless the employee has told them otherwise, then they do not need to have signed authorization. If the NPP is silent about that issue, then the company will need a signed authorization from the employee to talk to the spouse about it. The employee can revoke permission for the spouse to receive information at any time. That form is in the Tool Kit.

Question 10: Chain of Trust Trading Partner Agreement: What is this and is itnecessary to have?

A: This was defined in an early version of the law and has been replaced by the BA agreement.

Question 11: Is Confidentiality & Nondisclosure Agreement used to have employees and/or persons associated with employer (cleaning staff, outside data help, etc.) sign saying they will protect the PHI?

A: That is correct.

Question 12: Should the Corporation (employer) be named as the Plan Sponsor and Plan Administrator so that as a Plan Sponsor this would not make them a fiduciary and therefore not have the liability associated with fiduciary status? They can then be responsible for establishing, amending, terminating and funding the plan.

A: Under ERISA, the plan sponsor is a fiduciary. They can not be named as anything other than a fiduciary.

Question 13: Would this mean then as the Plan Sponsor, the employer is not a Covered Entity and it may use PHI for plan administration purposes, as described above, if it completes designated amendments to plan documents and establishes certain procedures so that they agree to use and disclose PHI only for the Plan administration functions?

A: Yes.

Question 14: Won't the HIPAA Privacy Rule's minimum necessary standard impede the ability of workers' compensation insurers, State administrative agencies, and employers to obtain the health information needed to pay injured or ill workers the benefits guaranteed them under State workers' compensation system?

A: No. The Privacy Rule is not intended to impede the flow of health information to those who need it to process or adjudicate claims, or coordinate care, for injured or ill workers under workers’ compensation systems. The minimum necessary standard generally requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose. For disclosures of protected health information made for workers’ compensation purposes under 45 CFR 164.512(l), the minimum necessary standard permits covered entities to disclose information to the full extent authorized by State or other law. In addition, where protected health information is requested by a State workers’ compensation or other public official for such purposes, covered entities are permitted reasonably to rely on the official’s representations that the information requested is the minimum necessary for the intended purpose. See 45 CFR 164.514(d)(3)(iii)(A).

For disclosures of protected health information for payment purposes, covered entities may disclose the type and amount of information necessary to receive payment for any health care provided to an injured or ill worker.

The minimum necessary standard does not apply to disclosures that are required by State or other law or made pursuant to the individual’s authorization.

Question 16: Does HIPAA apply to municipal workers since ERISA doesn’t apply.

A: Yes, HIPAA does apply.

Question 17: If a small employer, self insured, (under 50 employees) has a medical buy down plan that is a fully insured product, but requires an EOB before reimbursing the employees is the plan subject to HIPAA? Because it's self insured, the answer is generally no however, because the employer has PHI are they now subjected to HIPAA?

A: Actually if the plan is a plan (meaning it has plan documents, SPD, etc) and has less than 50 participants (meaning actual participants and eligible, non-participating participants) and is self-administered, then theoretically the plan will not have to comply. However USDOL still has some serious questions about this because of the inherent inconsistency with one portion of the employer not having to comply but another part of the plan having to comply at least hands-off since they have access to PHI about their employees. My advice: Comply fully and then keep PHI out of the employer's hand.

Question 18: What can a supervisor's do when an employee calls in sick? Shouldn't an employer have policies that govern the employee/employer relationship as it relates to an employee calling in sick, discussing even in a caring fashion an employees medical condition (example: an employee that has cancer and is on extended medical)? Both vendors and co-workers ask about that employee. How HIPAA is related to these situations.

A: First, write your firm’s policies and procedures, and then follow it. It should state exactly how your firm will handle absences. Do you require a physician’s note after XX number of consecutive days; after XX number of absences, etc? As long as it is spelled out in your P&P, there will be no issue if you enforce the policy consistently.

The key to the second part of your question is who is divulging the information, the employee or the supervisor? The supervisor should not be telling anyone about a coworker’s condition. It is really up to the employee to share the information as they wish, or the supervisor could ask the employee what he/she would like the coworkers to be told, if it’s a long-term event. At the same time, coworkers will share information and that is all right. What you need to remember is, it’s not ‘who tells what’, it’s what impact the knowledge has on employment decisions that is important. To comply with HIPAA, supervisors/employers must not use PHI to make or influence employment decisions.

Question 19: What happens if an employee calls in sick for several days in a row? Can we require a doctor's note? What happens if we see a pattern of John Doe calling in sick on Fridays or Mondays so he can have a long weekend? I guess that could be an attendance issue and he could be fired. We currently do not require a doctor's notes unless an employee is going to apply the FML.

A: Yes, it is all right for you to ask for and receive a doctors' note that the employee was under their care and is now OK to return to work. Make sure that the note does not include any diagnosis information (which is unlikely given their own HIPAA privacy obligations).

Question 20: Can an employer send a NPP to employees via email?

A: Yes. If an employee requests a paper copy, the employer must supply it.

Question 21: Can a NPP be included in a paycheck envelop?

A: Yes

Question 22: Can I give the Notice of Privacy Practices and Policies to our clients to pass out to the employees? Do I need a signed copy back from each employee? Does the employer need a signed copy back from each employee?

A: Yes, you can have them pass it out to their employees and no, you do not need a signed copy back from each employee. The employer also does not have to have a signed copy, but could request it for record-keeping purposes.

Question 23: Can you explain the use of the Authorization & Release to Disclose Health Information form? Does each employee of the client need this passed out to them as well? And if so, the same questions apply as far as who gets the signed copy back?

A: The Authorization is for you to use with your clients when you need an authorization from the employee to speak to a carrier that requests a signed form. You can collect this authorization in advance and avoid any delays in working with the carriers or you can wait until there is a request by an employee for assistance in resolving a claim.

Question 24: If a hands-on employer distributed their Notice of Privacy Practices to all employees and if the assigned Privacy Officer or the Privacy Officer's helpers that have access to PHI should receive a call from an employee for help on claim issues, would the Privacy Officer and/or team need that employee to sign an Authorization For Release of PHI before the assigned Privacy team can help them or does the NPP cover this?

A: As long as the employee calls the Privacy officer or the privacy staff and the employer is hands-on and these positions are defined in the Policies and Procedures and in the Notice of Privacy Practices, then there is no need for an additional authorization. If an employee wants to talk to someone outside of the privacy team, then that management person would need a signed authorization from the employee.

Question 25: Is it okay for the privacy staff to give spouses PHI information (i.e. help with claim issues) over the phone without a signed Authorization for Release of PHI?

A: Generally, it is ok, if the Notice of Privacy Practices informs the employee
that the company will assist a spouse without the need for further authorization. We recommend that you quiz the spouse making the call to certify that this is the spouse.

Question 26: You have said that the re-insurer does not require a BAA from the employer. Can you explain why?

A: A reinsurer is not a business associate of a health plan simply by selling a reinsurance policy to a health plan and paying claims under the reinsurance policy. Each entity is acting on its own behalf when the health plan purchases the reinsurance benefits, and when the health plan submits a claim to a reinsurer and the reinsurer pays the claim. However, a business associate relationship could arise if the reinsurer is performing a function on behalf of or providing services to, the health plan that do not directly relate to the provision of the reinsurance benefits.

Question 27: If we have an employee who is taking time off to go to rehab. Because time is being applied to Family Medical Leave, does this give the supervisor the right to tell people what is going on when asked?

A: If they are out on FMLA and the reason is for some rehab issue, why not just say that they are using it for a medical reason and not given any specifics unless the employee has said that they don't mind tell more than that.

Question 28: We had a situation where an employee was having some problems. His supervisor made notes on his attendance record such as January 2 - John Doe seemed out of it and could not concentrate. January 15 - John Doe said he had to go home because he couldn't think straight. January 31 - John Doe called to say he would not be in today because his wife left him and took the children. February 10 - John Doe is having difficulty doing a job that he has been doing for 15 years. February 20 - John Doe called in sick because he was dizzy and his medication isn't right. Again, the supervisor is the only one who has these records. Would notes like this cause us to be a hands-on company? These are not in the employee's personnel file. They are kept in the supervisor's office. The only time they become part of his personnel file is when the employee is terminated.

A: This kind of detail is going to be a problem, especially the February 20 data. The supervisor should keep that detail limited or document it through some formal employment process.

Question 29: We are a hands-off company. We do not ask health questions on applications or when offering employment. Once an employee is hired, we have a sheet they fill out with emergency contact info, etc. We also have a statement that reads, "Are you taking any medication, have any health conditions, or are allergic to anything that we need to be made aware of?" Is this question acceptable to allow us to continue to be a hands off company since I include the statement "...that we need to be made aware of"?

A: Yes, because you're doing it for workplace safety reasons. Just be careful
not to make the information available in throughout the company - only have limited the
people that have access to the forms.

Question 30: Our supervisors keep attendance records. Would we be considered a hands-on company if the supervisor writes on these attendance records things like......Wednesday, March 24 - John Doe asked off to go to the doctor or Wednesday, March 24 - Sue Smith called in sick? The supervisor is the only one who has these records except when a copy is given to the plant supervisor because of an attendance problem where the employee may be terminated.

A: No, that's not PHI and not going to jeopardize your status as hands-off.

Question 31: Can an agency or an employer post a Notice of Privacy Practice in a common area for employees?

A: No, they must deliver an NPP to each employee. They cannot post it and satisfy the notice requirement. They could include in the paychecks as a stuffer but there must be physical delivery of the notice to each employee.