HIPAA Compliance for Self-Insured Group Health Plans

Posted By Steve Alder on Jan 20, 2026

HIPAA compliance for self-insured group health plans – or self-administered health group plans – is a complicated area of HIPAA legislation due to the different ways in which self-insured group health plans can operate and due to potential exemptions from HIPAA compliance.

The Administrative Simplification Rule of the Health Insurance Portability and Accountability Act (HIPAA) imposed requirements on health care clearinghouses, certain healthcare providers, and health plans (collectively known as “covered entities”) to comply with national standards for the privacy of individually identifiable health information and the security of electronic Protected Health Information.

The standards were developed by the U.S. Department of Health & Human Services and published in 2000 (the HIPAA Privacy Rule) and 2003 (the HIPAA Security Rule). Subsequent amendments, guidelines, and companion Rules have shaped HIPAA compliance for self-insured group health plans to account for advances in technology and changes in working practices. A Breach Notification Rule was added in 2009.

Definition of a Self-Insured Group Health Plan

Due to the complicated nature of HIPAA, and to better understand what HIPAA compliance for self-insured group health plans involves, it is practical to define what a self-insured group health plan is. A self-insured group health plan is one in which an employer assumes the financial risk for providing healthcare benefits to its employees as opposed to purchasing a “fully-insured” plan from an insurance carrier.

Typically, a self-insured employer will set up a special trust fund to earmark corporate and employee contributions or use general funds to pay incurred claims, and either administer the plan themselves or – more commonly for larger employers – retain the services of a third-party administrator. A self-insured group health care plan can also include medical expense reimbursement flexible spending account plans (medical FSAs) and health reimbursement account plans (HRAs).

Exemptions from HIPAA Compliance for Self-Insured Companies

Exemptions from HIPAA compliance for self-insured companies are rare. Only if a group health plan is self-insured, self-administered, and the employer has fewer than fifty employees is the company exempt from HIPAA compliance – provided medical FSAs and HRAs are also administered by the employer and not an outside third-party administrator. Providing an employee assistance plan or wellness plan can also trigger HIPAA compliance for self-insured companies.

Not surprisingly, there is a gray area of HIPAA compliance for self-insured companies known as “partial compliance”. Partial compliance is applicable when neither the sponsor of a group health plan nor its insurance agent has any access to or transmits Protected Health Information (PHI) electronically. These “hands off” group health plans only occur in specific circumstance, and generally most self-insured group health plans will be subject to HIPAA compliance.

What Does HIPAA Compliance for Self-Insured Group Health Plans Consist Of?

There are multiple elements to HIPAA compliance for self-insured group health plans, and many do not apply in all circumstances. Compliance requirements will vary from company to company depending on factors such as its size, the nature of its business, whether it operates public-facing offices, and its internal organization. The following is a brief HIPAA compliance checklist for self-insured group health plans.

Appoint a Privacy and Security Officer

Companies with self-insured group health plans have to appoint a HIPAA Privacy Officer and a HIPAA Security Officer. These positions can be performed by the same person and/or an existing member of the workforce, and their first role is to identify where, why, and to what extent PHI is created, received, maintained, or transmitted by the group health plan. This will likely involve many different departments such as IT, legal, payroll, and HR.

Analyze Uses and Disclosures of PHI

Once the discovery of PHI is complete, the Privacy and Security Officers should analyze uses and disclosures of PHI to ensure they fall within those permitted by the HIPAA Privacy Rule. Where necessary, the Privacy Officer may need to obtain authorizations from employees for some uses and disclosures of PHI that require them. Note: Employers are not permitted to take retaliatory action or discriminate against employees who refuse to give their authorization.

Develop HIPAA-Compliant Privacy Policies

The next stage of HIPAA compliance for self-insured group health plans is to develop HIPAA-compliant privacy policies establishing how PHI can be used and disclosed. This should take into account third-party administrators who – as business associates – also have to comply with the HIPAA Security and Breach Notification Rules and elements of the HIPAA Privacy Rule, and with whom it will be necessary to enter into a HIPAA Business Associate Agreement.

Develop HIPAA-Compliant Security Policies

One of the requirements of the HIPAA Security Rule is for covered entities to implement administrative, physical and technical safeguards to ensure the integrity of electronic PHI. In order to fulfil this requirement, Security Officers should conduct a risk assessment to identify any vulnerabilities that may lead to unauthorized access to electronic PHI, and – following a risk analysis – implement suitable measures and policies to address any vulnerabilities.

Develop a Breach Notification Policy

Despite a company’s best efforts to achieve HIPAA compliance for self-insured group health plans, they may be a time when an unauthorized disclosure of PHI occurs. Self-insured companies need to be prepared for such occurrences, and should develop a breach notification policy in order to advise employees that personal information may have been compromised. The policy should also cover notifications to HHS’ Office for Civil Right when necessary.

HIPAA Training for Self-Insured Group Health Plan Administrators

HIPAA training for self-insured group health plan administrators is mandatory because these plans handle protected health information for enrollment, eligibility, claims processing, appeals, care management activities, and plan operations. Training should explain how the HIPAA Privacy, Security, and Breach Notification Rules apply in a benefits administration context, with practical guidance on minimum necessary use, verifying identities before disclosing information, and managing routine disclosures to third parties such as TPAs, stop-loss carriers, brokers, and vendors. It should also address common risk points in plan administration, including email and file-sharing practices, access controls for HR and benefits systems, safeguarding printed materials, and recognizing phishing and social engineering attempts that target member data. Since self-insured arrangements often require close coordination between the health plan, the employer, and external service providers, training should reinforce the importance of clear internal procedures, proper handling of plan communications, prompt incident escalation, and maintaining defensible documentation of training completion for compliance purposes.

As members of a self-insured group health plan, each employee should be given a notice of the plan’s privacy practices which can be used to explain why maintaining the integrity of PHI is essential. Each employee should also be given a copy of the company’s sanctions policy that explains the consequences of failing to comply with the privacy, security, and breach notification policies.

Further Information about HIPAA Compliance for Self-Insured Companies

Although the Department of Health and Human Service provides a great deal of HIPAA information on its website, relatively little relates to HIPAA compliance for self-insured group health plans. Companies unsure about their compliance requirements should seek professional help to – first – determine their plan is subject to the HIPAA requirements, and then obtain help for ticking off the items on the HIPAA compliance checklist.

HIPAA Compliance for Self-Insured Group Health Plans: FAQs

Do the same HIPAA Rules apply if the plan is an HMO or PPO?

Regardless of whether a self-insured group health plan operates under a Health Maintenance Organization model (HMO) or Preferred Provider Organization model (PPO) the same requirements exist to ensure the privacy of employees’ individually identifiable health information and the security of electronic Protected Health Information.

What is the difference between individually identifiable health information and electronic Protected Health Information?

Individually identifiable health information is health information that alone or with other common identifiers could be used to identify a health plan member. When common identifiers such as a member’s name, date of birth, or address are stored in a designated record set with the health information, they adopt the same protections as the health information.

What if a company has nobody ready to take the roles of Privacy and/or Security Officer?

If a company does not have an existing member of the workforce with sufficient knowledge to take the roles of Privacy and/or Security Officer – and lacks the resources to employ a full-time compliance officer – it is possible to contract short-term compliancy services until such time as an existing member of the workforce has the skills and knowledge to assume the compliance roles.

What are the penalties for failing to comply with HIPAA?

The penalties for failing to comply with HIPAA varying according to such considerations as the nature of the violation(s), the number of records exposed in a data breach (if any), and the efforts made by the covered entity to reduce the risk of the violation(s) to an acceptable and reasonable level.

In most cases, HHS’ Office for Civil Rights will offer technical assistance to prevent the violation happening again or impose a corrective action plan if the violation is attributable to an underlying culture of non-compliance. Only in a minority of cases will HHS’ Office for Civil Rights impose a financial civil penalty. In such cases, the amount of the penalty (current as at December 2025) reflects the level of culpability:

Penalty Tier	Level of Culpability	Minimum Penalty per Violation	Maximum Penalty per Violation	Annual Penalty Limit
Tier 1	Reasonable Efforts	$141	$35,581	$35,581
Tier 2	Lack of Oversight	$1,424	$71,162	$142,355
Tier 3	Neglect – Rectified within 30 days	$14,232	$71,162	$355,808
Tier 4	Neglect – Not Rectified within 30 days	$71,162	$2,134,831	$2,134,831

Are disclosures of PHI for workers’ comp purposes permissible under the HIPAA Privacy Rule?

Yes. However, disclosures of PHI for workers comp purposes must comply with the “minimum necessary standard”. This standard stipulates that only the minimum amount of PHI required to accomplish the intended purpose should be disclosed – unless a state-run workers´ comp program is exempted under 45 CFR §164.502(b)(2)(v) and §164.512(a)(1).