What are the HIPAA EDI transaction requirements for a company administering their group health plan in-house as opposed to using a TPA? Are we required to be able to receive claims electronically? I know the privacy rules apply but what about security and EDI issues? I can not find this addressed. Also, should we be obtaining an authorization when we do not use PHI for purposes other than operation of the plan?

HIPAA uses a different definition of "plan" than ERISA, which causes quite a bit of confusion. A "health plan", for purposes of HIPAA, includes both an ERISA plan and an insurance company.

A health plan is required to be able to conduct covered transactions electronically. However, most employer sponsored health plans conduct these transactions through an insurer or TPA. Most insurers and TPAs are in the process of adapting their procedures to comply with HIPAA's EDI requirements (because the vast majority of such entities are health plans themselves). If an employer sponsored health plan depends upon these entities to conduct its transactions, it will be compliant when they are. For this reason, it is vitally important to track the progress vendors and TPAs are making towards compliance.

Note that the responsibility to comply still falls upon the employer sponsored health plan. You should have filed an extension for the plan and noted that you were depending on vendors and TPAs. Otherwise, the plan may be in technical violation of the EDI requirements.

As for your second question, the plan should obtain an authorization if it utilizes PHI for anything not permitted by the rules. What are you planning to do with the information?

I will add one comment about the regulations and which ones apply. If you are a group health plan (and therefore a Covered Entity) under the defintion of one set of regs, you are a covered entity under all the regs and must comply with all.

Clearinghouses for in-house self administered groups for EDI transactions by the Oct 2003 deadline would seem cost prohibitive unless it is a large company. Has anyone found any reasonable EDI solutions for small to midsize companies?