HIPAA Compliance

We are a small bank with 53 employees. Our health and dental plans are fully insured. The only Personal Health Information we receive is information provided on the health questionnaire in our health insurance enrollment form. We also have an FSA with 10 participants. I recently read an article that said if the FSA is self-funded, self-administered, and covers fewer than 50 participants, it isn't subject to any of the HIPAA rules. We do administer it internally, but as I mentioned, we only have approximately 10 participants. Based on this information, do we need to comply with the HIPAA regulations?

Comments

  • 4 Comments sorted by Votes Date Added
  • Hi Sherrie, fellow Minnesotan,

    "FSA's and Cafeteria Plans are covered entities if they otherwise meet the ERISA definition, unless they:
    1. Have fewer than 50 participants; and
    2. Are self-administered."

    Sounds like the answer is "no". You're clear.



  • Sorry, I believe the number of employees applies to number of eligible employees, not the number of participants. We have 97 employees and 3 participants, but still have to comply. In the meetings I've been to, if you have a Section 125 Medical reimbursement you have to comply.
  • There is a lot of conflicting information going around about HIPAA and here is one case. When I used the word "participants" it was right out of the compliance material I received from a seminar conducted by a Minneapolis law firm. To add to that, during this seminar a question was asked about a certain situation and whether it was a covered entity or not. In unison, one lawyer said "yes" and another said "no". The disturbing part is that they were both correct. It "depends on the employer's intent".

    Great!! Now our intent is being legislated.

    Also, work comp is not supposed to be affected by HIPAA, but several employers here have noticed a real slowdown in claims payment due to the privacy issues. Anyone else noticing the same thing?
  • The good news is the HHS will act as monitor for the 1st 2 years of HIPAA compliance before administering the stiff penalies and fines for non-compliance....unless there is blatant negligence. The bad news is that should you not be in complaince and you do handle PHI which it sounds like you do, I would protect myself (you personally share liability with your company) by becoming fully compliant by April 14th. There's only a few steps to become compliant and is not as difficult as we think. Remember the first FMLA days and how difficult we thought that was?
    Nothing to it now, so I expect HIPAA will be the same as we become more acquainted with the compliant requirements. Plus it is just good business practice to protect PHI and have a policy concerning the protection process. Best wishes from SC.
Sign In or Register to comment.