Our outside consultant is reviewing health & dental claims. Our carrier is setting up a link for them to be able to access data right from their website.
I know this will be a HIPAA concern soon; we are for the most part self insured.
Does anyone see a current problem with this?
Should the consultant sign a Confidentiality agreement? Should our carrier,rather than us, be concerned form their end since their website?
Would anyone have a sample Confidentiality agreement or Business Associates agreement
Thanks!

Having the consultant take a look at claims info should not pose a concern unless you think he or she is going to use the information in some other way. When it comes to disability claims, I usually work with the carrier directly if there are questions or problems with a claim. Depending on the realtionship I have with the carrier, they usually give me information that is personal and that I would not relay on to the employer. However, in order to really solve a problem, sometimes you need all the information.

Also, HIPAA would not apply in this instance unless the consultant was giving you very specific details about individuals who are receiving medical care. For instance, your consultant can tell you that 5 people are being treated for cancer, 10 people for heart diseases and so on. That's not a problem. If they said Bob Smith is being treated for complications due to a sex change operation, that is a problem.

Alexa48:

Much of the help you are looking depends on what type of business you are in: if you are already a covered entity under HIPAA (in short, a health plan, clearinghouse, or provider), then you have to look at your responsibilities as a covered entity. If you are not a CE, then you need to look at your responsibilites as a plan sponsor.

I suggest starting with www.ebia.com as a great source of information. I also suggest you look at the regs under164.530(k) for the information regarding health plans. You can find this under http://www.bricker.com/attserv/practice/hc.../hipaaindex.asp. This is also a great place to view the regs in an organized fashion.

Your carrier may or not be a CE also, depending on if they meet the requirements of the definition of a group health plan. For instance, TPAs may or may not be; they need to make that decision and you need to be asking them.

Since it is your consultant, i would do more research with your carrier, especially since you are self funded. If you need a sample of any BA contracts, contact me offline and I can provide them to you.