Employee privacy vs. administration
February 16, 2009 by Bill MeltzerPosted in: Compliance, In this week's e-newsletter, Latest News & Views
As scary as they seem at first glance, complying with HIPAA’s privacy rules can be relatively painless.
Contrary to common belief, the rules – with a few key exceptions – apply only to a fraction of the health information Benefits handles.
As long as the company remains legally “hands off” of employee’s private health information, you can dodge most of the HIPAA bullet.
For HIPAA privacy purposes, your firm is considered “hands off” even when you obtain de-identified personal information, aggregate claims data and routine enrollment info.
Bottom line: If your organization’s health plans are fully insured and the claims administered through a TPA, the insurance company – not your firm – bears the brunt of the HIPAA privacy compliance responsibility.
One major exception: medical cafeteria plans. In most cases, you have two compliance options:
- Process reimbursement requests first through your TPA, with the TPA making sure the claim qualifies under the terms of the cafeteria plan before your firm reimburses it, or
- Create a written cafeteria plan privacy policy, issue a notice to employees, appoint a privacy officer and amend your plan documents.
Rarely affects FMLA
Many people – including healthcare providers – misunderstand how HIPAA affects medical certifications for FMLA leave. The key: HIPAA only applies to personal information that filters through your health plan, not certifications obtained from a doctor.
Under FMLA, you’re allowed to obtain the minimum information you need to approve and administer leave. Likewise, HIPAA doesn’t apply to most workers’ comp, return-to-work notices or disability claims.
Even so, it pays to be careful how you ask for and use the information. Other state and federal privacy laws often protect the same types of info people assume falls under HIPAA.
Following procedures
The HIPAA privacy rules are heavy on paperwork and procedure.
But as long as your firm follows the info-gathering process spelled out in your health plan documents, the HIPAA privacy rules should present few major obstacles.
February 19th, 2009 at 1:32 pm
Bill, you seem to forget that some of us are new to HR, which is why we rely so heavily on sites and articles such as this. I was at a loss at first to know what a “TPA” was, but finally decided you must be referring to a “Third Party Administrator”, based on the context. Is that correct? This must be something that most HR Benefits Coordinators would know, but some of us are the only HR person in a small company, and we are not up on what you would consider common terms.
On another note, thank you so much for this information. I was told that “routine enrollment info” was considered HIPAA sensitive, and that I would have to set up a separate file for each employee to keep that in. Your article makes it sound like that may not be the case, and that I might only have to set up a separate file if I actually receive specific personal health information on one of our employees. Can you tell me if that really is the case, or should I continue making up all those additional folders for enrollment forms?
Thank you for your help – Mary B
February 19th, 2009 at 2:04 pm
Bill or anyone else out there,
What about companies that are not fully insured (meaning partially or fully privately funded up to some reinsurance limit)? Medical information is shared through the TPA as claims are filed and submitted to the company for payment.
What is the best way to comply with HIPPA in that case?
Thanks. Bill R
February 19th, 2009 at 3:55 pm
Just deal with it like you would with any confidential info, except in this case, medical info is not to be shared with anyone or those legally permitted to do so. Get everyone who has access to the info to sign a HIPPA document indicating their knowleedge of how to handle the info.
February 19th, 2009 at 4:12 pm
Thanks, Larry.
Just hypothetically speaking of course… what if the company’s top management are handling the claim information personally. I mean the same people that make hire and fire decisions?
Thanks.
February 26th, 2009 at 10:32 am
In a small company, where top management has many roles, it is treated as professionally as possible. This means that sensitive information files are kept separate and secure and desicions are based on performance and skill. Think of it Bill as a actor stepping in and out of different characters throughout the day; you do the best you can to be fair and ethical.
February 26th, 2009 at 3:20 pm
Technically, even the top mgmt. should complete the HIPPA training and sign the confidentiality document if they are privy to this info. If something ever gets out, the company is exposed to serious litigation.
February 27th, 2009 at 8:49 am
Thanks Cheryl and Larry,
One last question, if top management is privy to personal health information because they are paying the medical bills because the company is self insured – does this violate HIPPA or not? And if the answer is yes, how does changing hats or acting roles or attending training mitigate the risk of the violating the law?
Thanks again.
February 27th, 2009 at 9:18 am
The risk is not mitigated if someone spills any private info, or makes an employment decision based on privileged medical info. The training only lets these folks know what they can and cannot do with the private info. It’s up to them to adhere to the guidelines. And make sure you you document training, etc. in case anything gets out so that you’re not exposed.