Products | DPI-125 | DPI-105 HRA | DPI-132 | DPI-COBRA | myResourceCard®
HIPAA Privacy is the mind of so many. What to do and when to do it? To help you in this matter, we will shortly be releasing a HIPAA Privacy Packet design for our users to send to their clients. The packet will inform the client about his upcoming compliance obligations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). These rules affect health plans (which includes health FSAs), health care providers, and health care clearinghouses.
The HIPAA Privacy Rules will be effective on April 14, 2003 for self-insured plans that paid $5 million or more in claims or for fully insured plans that paid more than $5 million in premiums in the last full plan year prior to April 14, 2003. If the Plan paid less than $5 million in claims or premiums, the effective date of the HIPAA Privacy Rules for such plans will be April 14, 2004. (For purposes of the $5 million rule, all health benefits must be counted where they are provided under a single “plan” for ERISA (Form 5500) purposes.)
Included in the packet will be:
- Cover letter to you explaining the contents of the packet
- Sample cover letter explaining the material to the client
- Summary of the client's HIPAA rights and responsibility
- Sample Privacy Notice
- Sample HIPAA Confidentiality Agreement (similar to a Business Associate Agreement, but designed for agents of plan sponsors
- Sample amendment to the DataPath FSA Plan Document (rev. 11/27/02)
The material in the packet is designed for a TPA taking the approach that the TPA is an agent of the employer as opposed to a business associate of the plan. While agents are not directly subject to HIPAA's privacy requirements, certain steps must be taken in order for the plan sponsor to receive information from the plan. The employer must amend its plan and ensure that its agents with whom it will share PHI agree to the same requirements as business associates. From the privacy perspective, it does not matter whether the TPA is a “business associate” or an “agent" of the employer; they are subject to the same privacy requirements.
When it comes to EDI, it is an advantage for a TPA to be an agent since employers and their agents are not subject to the EDI standards. If the TPA were acting as a business associate, the TPA would have to abide by the EDI standards.
When you receive this packet, it is very important that you have it reviewed by your legal counsel. Also, when you send it out to your clients, you should tell them that they also need to have it reviewed by their legal counsel.
This packet will be provided only to our current users. You will receive an email telling you when it is available for download from our web site.