"The Universal Laws of HIPAA only affect certain people," said the Master. "In the infinite wisdom of Congress, some holders of this protected health information are affected and some are not."

"But that does not make sense," said the novice, even more puzzled. "What is the difference that distinguishes who is a covered entity and who is not?"

"Yes, Grasshopper, there is a specific definition that defines who must be HIPAA enlightened and who does not have to follow the path," responded the Master. "The list is small but yet it is large. The sacred HIPAA text says these categories must seek the path:

• Medical insurance companies
• A healthcare plan
• A health care clearinghouse
• A health care provider who transmits any health information in electronic form

"No Master, I can't say that it is," said the novice, shaking his head in confusion. "What do you mean a health care plan is a covered entity? How does that affect me as the employer? Am I a covered entity, too?"

"If your health care plan has more than 50 eligible employees, then it must respect the laws of HIPAA. You r company is not a covered entity, it is the plan sponsor of the healthcare plan. You must ensure that your administration employees and the plan walk the ways of HIPAA," said the Master. 

"And if you have any third party do any administration work for the healthcare plan," the Master continued, "then the size requirement does not apply."

The business owner, looking perplexed, asked the Master, "So if we have someone outside our firm administer our Flexible Spending Account, then it applies to use even if we have fewer than 50 employees?"

"So as an employer with a medical plan for my people I am considered a sponsor of a covered entity?" asked the entrepreneur. 

"What if my company is self-insured?" asked the owner.

"Being self insured by definition means you use someone else to administrator your healthcare plan." replied the Master. "In fact, the only healthcare plans that are not affected are fully insured with fewer than 50 eligible employees who do all administration internally. No outside FSA or Cobra administration!"

The Master paused, and held up the sacred HIPAA text.

"In this book are the universal guidelines for the privacy and security of protected health information. It is written here that a healthcare plan must be HIPAA compliant. But it is the sponsor of the healthcare plan that is responsible for doing so.  An employer that thinks that these laws do not apply to them is gravely mistaken. It is more than good business practice to take this path. It is a universal truth." advised the Master.

"It is possible to minimize the compliance efforts, but you can't escape the laws of HIPAA. The applications of the employees contains their protected health information. Any employees you have with access to this information must be HIPAA aware. If you keep copies you must secure that data. You must guarantee the information is protected, private and secure. And you must get assurances that anyone you give this information to will also provide the same privacy and security guarantees, " the Master added.

"Wait," cried the owner. "What if I make sure we NEVER get copies of the employee medical applications. What if our insurance broker ONLY  handles them? "

"No, Grasshopper, you can minimize how deep you are in the waters of HIPAA, but you can't escape the Laws of HIPAA. You must have a HIPAA policies and procedures manual, regardless. This manual must outline how you respect the laws of HIPAA." 

"And if you have others receive this information, then they, too, must respect it," said the Master.

copyright 2004 er.HIPAAps.com

next page