Hipaa Complaince

maryfmurray · April 2004

I work for a small agency and for two years I have been preparing the paperwork to have us in complaince for Hipaa. I have forwarded all the appropriate paperwork to the ED and nothing has been returned to me or out to the employees, therefore we have not met the complaince date of APril 14. I don't know what to do! I've tried everything, all I am hearing back is we do not have to do anything to become Hipaa complaint. I explained even though we only do enrollments and pay the bills, there are certain rules in which we must follow. Any suggestions will be helpful! Thank you.....

Don D · April 2004

Two questions: How is 'The ED' and who is telling you that you don't have to do anything further?

maryfmurray · April 2004

The ED stands for Executive Director and apparently he went to a non-profit seminar on HIPAA and it was his understanding from this class we did not have to do anything to comply with the new HIPAA regulations.

mushroomHR · April 2004

If all you are doing is enrolling/terminating employees and paying the bill the insurance company is sending you then you don't have to do anything with HIPAA. As long as you aren't getting any information from the insurance company about employeee's medical conditions or information on their apps that reveal medical conditions HIPAA does not apply to you.

maryfmurray · April 2004

Even though all I do is the enrollments, don't I still have to provide something to new hires and provide the employees with a summary plan description showing them their benefits? Our broker informed us we needed to do all of this to comply.

Elle · April 2004

Yes, you have to provide your employees w/the Privacy Notice as well as have all your Business Associate Agreement forms filled out. The BAA form is for any other organization that has employee medical information (i.e. payroll company w/employee contributions, broker, etc.).

I hope this helps, HIPAA has confused me too.

maryfmurray · April 2004

thank you for all your input, it has been a big help. It was just as i Thought and none of this has been done. As I have stated, I sent all the information to my boss and it is now in his lap. There isn't much more I can do if he isn't willing to move on what needs to be done. If the DOL ever came in and found out the privacy notices had not been issued, would there ever be major fines. Then he wouldn't be so happy.

HR in Okla · April 2004

Question...fully insured plan. All you do is enroll employees and review bills. You aren't required to comply with HIPAA, so you wouldn't develop a privacy notice would you? Whose privacy notice do you issue? I'm confused.

mushroomHR · April 2004

I agree with you HR. If you're fully insured and you see no health information from the insurance company HIPAA does not apply. You do have to give enrollees a copy of your SPD but that has nothing to do with HIPAA.

njjel · April 2004

So do we or do we not have to issue a Privacy Statement if all we do is submit enrollment info and pay the invoice?

SMace · April 2004

The information I have is that enrollment forms are condsidered PHI. I've not agreed with anyone yet on any HIPAA issues and I'm not fully insured so don't take my word for it. I figured I'd throw my two cents in though.

franfields · April 2004

Be careful that you don't forget cafeteria plans when you are deciding whether or not you have to do anything. If you do medical reimbursement and have 50 or more enrollees, you are a covered entity under HIPAA.

njjel · April 2004

Can you explain why please?

HR in Okla · April 2004

Is that 50 or more enrollees in the FSA? or your health plan? I'm interpreting it as the FSA, but want to be sure.

Also, this is the first I've heard that enrollment forms are considered PHI. Anyone have more clarification?

njjel · April 2004

Prior to my post I was given two different opinions on this from HIPAA "specialists"!! So then how are we lay persons supposed to figure it out?

franfields · April 2004

If your cafeteria plan has a medical reimbursement FSA, depending upon how it is administered, you may be dealing with PHI (i.e. receipts list medical conditions and drugs). If you have access to PHI, it needs to be protected.

njjel · April 2004

We do not take any information for our medical felxible spending account - the employee deals directy with the people at the plan. Therefore, I didn't see that we would be required to issue a privacy notice.

Pork · April 2004

"WHOA-NELLIE" this is like a dawg chasing its tell (tail) and getting no where. HIPAA BEST SUMMED UP pertains to those of us who have or might by chance receive some terrible piece of PHI. If you or your office never views a PHI document, then HIPAA will not apply to you and your staff, the body guard, the garbage man or the little lady or "dancing mail man/woman" that delivers the FAX or mail. However, if there is a chance that PHI will float in while you are reviewing medical invoices belonging to "John Doe" or "Jane Chance" or any of their family members, then you best have a HIPAA policy and plan in place which includes certified training on the particular issues of control and right of Privacy. We had our training plan, program, and certification document in one hour. We administered a 6 question test and attached all documents together and sent them back to the home office for filing and safe keeping for the HIPAA AUDITORS that were descending upon our heads on April 14, 2004. We complied and got it done and I thoufht how rediculas this exercise was to waste everyone's time. Two hours after the class, which I gave one of our 8 clerks that work in the headquarter's office, came to me with the First Aid register, waving and expressing excitement and HIPAA, HIPAA issue. She had almost heard me right, when in doubt get control of the document and get it to me or my assistant and we'll determine if a violation has occurred. I was proud of her actions, but I explained that she should reflect again on the training and what did the First Aid register represent? Of course you all know it is OSHA and Worker's Compensation, which is not covered by HIPAA. I thanked her for the opportunity to refocus her training and replaced the First Aid register back on the first aid box. The next day the mail clerk opened a letter to the office and realized right away that it was a medical document of some sort, she stopped reviewing the contents and brought the envelope with contents to me. It again was a worker's compensation document, but I was proud that she knew what to do with the mail. It could have been a letter from some doctor's office which might have revealed medical information, the forms used, do not normally differ in our area for private medical treatment or invoice than the W/C documents. Yesterday, the same person brought a letter un-opened to me it was from a local physician's office; inside was an ad for services and retail sales of medicine available.

MY CHARGE TO YOU IS: ARE YOUR WORKERS IN THE IMMEDIATE AREA OF THE HR OFFICE EVER WITH POSSIBILITY OF GLEENING ANY MEDICAL INFORMATION PERTAINING TO YOUR EMPLOYEES OR THEIR FAMILY MEMBERS? IF SO, ARE THEY PREPARED TO HANDLING AND OR "FORGETTING WHATEVER PERSONAL MEDICAL INFORMATION" THEY MAY HAVE GLEENED FROM EITHER DOCUMENTS OR PERSONAL CONVERSATIONS? ENROLLMENT FORMS ARE HIPAA/PHI EVEN FOR THE DEAD!

This is one of government "gotchas" or the "attorney dawgs" opportunity to make more money. You can just bet on it becoming the "cash cow" for a "rainmaker attorney".

Everyone have a Blessed day tomorrow, because I might have just rained on your parade; we are in compliance, I hope!

If not me and my pigs will just go to the barn or the slaughter floor, when and if we are ever challenged.

PORK

njjel · April 2004

Well as I said I got two different answers from two HIPAA "experts". Both long-time attorneys. So I guess I go to a third attorney and compare more notes.

I understand where you are coming from in the several ways that a company could get "caught". However, I don't see any of those scenarios playing out here. Nonetheless, I might just recommend we put a policy in place anyway just to keeps those "dawgs" outta my yard!

Pork · April 2004

[font size="1" color="#FF0000"]LAST EDITED ON 04-29-04 AT 07:52AM (CST)[/font][br][br]NJJEL: I, like you, originally felt that HIPAA was for the physician's office and that we could not possibly be involved. I remember looking at all the postings on this subject last year and would read the dialog and feel happy not to have all of these worries! Our Medical Insurance Carrier was the connection to this issue that got our attention. The first thing that happened was the immediate shut-down of this division's responsibility to assist our employees with claims processing; my e-mail connection to the POC went dead; the telephone messages were not returned; my frustration level went into orbit and I wrote a nasty gram to our carrier through the HR in NC. That is as far as it got! The HR called me and told me to settle down and be happy not to have these worries. The only thing I was allowed to do was to give my employees the claims form, and address and the 800 number to call. Additionally, he explained that our carrier is putting together a compliance training plan and policy for HIPAA. HOW STUPID, I thought and how damaging this would be for our employee relations and EAP activities. DO YOU HAVE AN EAP? YES, well you just got involved with HIPAA! Do you have an employee relations activity, which allows for personal discussions of any personal concern and seek guidance or assistance in handling their concerns? Guess what, this could be HIPAA area of concern. All of a sudden I was forced to think outside of the box and hear the full intent of the LAW.

God Bless us all and may we all have a nice day.

PORK

njjel · April 2004

No, we don't have an EAP (although I am hoping to get one some day).

Pork · April 2004

Maryfmurray: You have your profile disabled, therefore, we are unable to make direct contact. I have something for you if you are interested.
PORK

Hipaa Complaince

Comments