HIPAA Compliance for Association Health Plans

HIPAA compliance for Association Health Plans has been a topic of conversation between contributors to HIPAA Journal since the Department of Health & Human Services (HHS) released a proposed rule to help small businesses and self-employed workers buy less expensive health coverage.

In October 2017, President Trump issued Executive Order 13813 – “Promoting Healthcare Choice and Competition across the United States”. The Executive Order directs the Administration to facilitate the purchase of health coverage across State borders in order to promote competition in healthcare markets and limit excessive consolidation throughout the healthcare system.

In order to achieve the objectives of the Executive Order, the President suggests expanding existing alternatives to the “expensive, mandate-laden Patient Protection and Affordable Care Act”. The existing alternatives include Association Health Plans, Short-Term Limited-Duration Insurance Plans, and Health Reimbursement Arrangements.

HHS´ Proposed Rule Broadens the Criteria of ERISA

The HHS´ proposed rule addresses the requirements of the Executive Order by broadening the criteria of the Employee Retirement Income Security Act (ERISA). Under the proposed changes, the definition of an “employer” is changed in part to include small businesses and self-employed workers who have a “commonality of interest” – for example a common geography or industry.

The amended definition of an employer allows small business and self-employed workers to form an association for the purposes of obtaining less expensive health coverage through economies of scale. In this respect, Association Health Plans are no different to Multiple Employer Welfare Arrangements or Professional Employer Organization plans except that – by allowing a “commonality of interest” based on industry – States´ rights to regulate the providers of Association Health Plans are removed.

The proposed rule also exempts Association Health Plans from being treated the same as individual and small-group insurance plans. Whereas HIPAA compliance for Association Health Plans will apply inasmuch as the plans cannot exclude an employee with a pre-existing condition from coverage, the plans will be able to charge different premiums according to employees´ age, gender or industry; and are not required to provide the same level of benefits as mandated by the Affordable Care Act.

The Consequences of the Proposed Changes to ERISA

If the HHS´ proposed rule is adopted, the consequences will be significant. The opportunity to take advantage of lower premiums for young male employees working in safe industries will prompt many qualifying small businesses and self-employed workers to join or create Association Health Plans. According to the Department of Labor, up to 11 million employees would qualify for cheaper healthcare insurance under the proposed rule.

At present there are fewer than two hundred Association Health Plans in operation throughout the country. With the necessity to demonstrate the Association is “bono fide” (as required by many states) and the regulatory and administrative requirements of the Affordable Care Act removed, the likelihood is the number will increase to more than one thousand – similar to the levels reported in the 1990s. There are however negative consequences as well.

With up to 11 million employees opting out of insurance policies regulated by the Affordable Care Act, premiums for employees in large fully-insured group plans will increase. The effect has been likened to the creation of a “high-risk pool” catering for older and sicker workers employed in high-risk industries. Businesses may not only suffer from increased premiums, but also higher deductibles in order to maintain the level of benefits mandated by the Affordable Care Act.

HIPAA Compliance Obligations Remain Exactly as Before

The removal of States´ rights to regulate providers of Association Health Plans and the removal of Affordable Care Act requirements has no impact on HIPAA compliance for Association Health Plans.  Regardless of whether the plan is fully-insured, fully-insured with a high deductible, or self-insured, employers and plan administrators have exactly the same HIPAA compliance obligations as before.

What will likely change is the number of health plans HIPAA applies to if the fivefold increase in Association Health Plans occurs as expected. There may also be more unauthorized disclosures of Protected Health Information due to the inexperience of the parties administering the plans – particularly if the plans are self-insured and self-administered.

For parties considering Association Health Plans with limited experience of HIPAA (the Health Insurance Accountability and Portability Act), we have produced a general HIPAA Compliance Guide which is free to download. As our Guide relates to HIPAA in general, the following information relating specifically to HIPAA Compliance for Association Health Plans should be of interest.

HIPAA Compliance for Association Health Plans

Under HIPAA, all health plans are “Covered Entities”. Covered Entities must comply with the HIPAA regulations in their entirety to ensure the security, integrity and confidentiality of Protected Health Information at rest or in transit (an explanation of “Protected Health Information” is provided in the Guide). The HHS – who is responsible for enforcing HIPAA – can issue fines for non-compliance with HIPAA, and parties in breach of the regulations can also face civil action and criminal prosecution.

Most small businesses and self-employed workers joining an existing fully-insured plan will likely not have to worry about HIPAA compliance for Association Health Plans, as it is the plan – and not the individual members of the plan – that are responsible for compliance with HIPAA. Smaller plans may engage third-party administrators, who act on behalf of the Covered Entity as “Business Associates” and who are responsible for the integrity of the Protected Health Information they handle.

When HIPAA compliance for Association Health Plans does become important to know is when the plan is self-insured (also known as “employee-sponsored”) and self-administered. Although individual employers are still regarded as separate entities, they will encounter Protected Health Information in the course of executing administrative duties on behalf of the plan and are bound by HIPAA or how the Protected Health Information can be used and disclosed.

Rules Relating to Employer Use of Protected Health Information

If an employer is administering a self-insured Association Health Plan (on behalf of his employees or on behalf of other members´ employees) each employee must be given a Notice of Privacy Practices explaining how their Protected Health Information can and cannot be used. For example, the HIPAA Privacy Rule prohibits employers for using Protected Health Information for employment-related actions (unless authorized by the employee the Protected Health Information relates to).

To ensure HIPAA compliance for Association Health Plans, the administering employer must create a policy for the plan determining the permitted uses of Protected Health Information by the plan sponsor(s). This requires a certification from the plan sponsor(s) that:

  • Employee information will not be disclosed outside the permitted uses unless authorized by the employee.
  • Agents and sub-contractors will not be given access to Protected Health Information without a similar certification.
  • Protected Health Information will not be used or disclosed for employment-related actions (as mentioned above).
  • Employee information will be made available to employees who request it, amended as necessary, and destroyed when it is no longer required.
  • The plan sponsor(s) will report any use or disclosure of which it is aware that is inconsistent with the permitted and required uses and disclosures.
  • Policies for resolving unauthorized disclosures and issues of non-HIPAA compliance for Association Health Plans are in place (and adhered to).
  • Policies and records retained by the plan sponsor(s) relating to the use and disclosure of Protected Health Information received from the plan will be made to HHS inspectors in the event of an investigation or HIPAA audit.

In the event a self-insured Association Health Plan uses a third-party administrator, a certification may also be required from the plan sponsor(s) to address the permitted uses and disclosures of Protected Health Information received directly by the sponsor(s) from the third-party administrator. For example:

If an employee voluntarily brings information about a claim to an employer, the employee´s authorization for the employer to disclose the information to the third-party administrator is implied. When information is passed back to the employee from the third-party administrator via their employer, there needs to be a certification in place to stipulate how the employer can use that information.

HIPAA Compliance for Association Health Plans: Conclusion

Due to there being so many different possible scenarios relating to HIPAA compliance for Association Health Plans, it is impossible to cover them all in a single article. Areas such as a plan´s capabilities to send and receive HIPAA-standard transactions and employers who provide on-site medical facilities have not been discussed, nor have the penalties for HIPAA violations.

Therefore, small businesses and self-employed workers considering the benefits of an Associated Health Plan should seek professional advice before entering into an agreement with an existing plan or joining a new plan with a self-administered structure. Associated Health Plans will not be as strictly regulated as health plans covered by the Affordable Care Act, but it is still important to understand and implement HIPAA compliance for Association Health Plans.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.