please help

You said a mouthful. What kind of help are you looking for?

basically you've got three things to worry about:

1) Transaction standards: You can file for an automatic one-year extension for compliance (until October, 2003). In my experience, most covered entities are filing for the extension.

2) Amendments to the plan: HIPAA requires certain amendments be made to the plan document. The regulations are fairly specific in the language required.

3) Compliance with the amendments: Ah, there's the rub. You need to assess the data flow in your plan to assure that no violations of HIPAA or the mandated amendments occur. This is the hardest part of HIPAA compliance.

We're filing for the extension and we will take care of adopting the plan amendents. My concern is that in a fully insured context, we can rely upon the insurance company to be responsible for the plan's( the covered entity's) HIPAA compliance w/r to policies etc. Here there is no insurance company. Even if the plan uses a TPA, if the employer retains final authority w/r to benefit claims, isn't the employer, in fact, the plan and therefore required to appoint a privacy officer, adopt policies etc?

Effectively, yes. The employer and the Plan are separate entities for HIPAA purposes, however, the employer is almost certainly the entity with the authority and ultimate responsibility to engage in the activities necessary for HIPAA compliance (including the ones you've mentioned).