Share this article on:
HIPAA compliance for self-insured group health plans – or self-administered health group plans – is one of the most complicated areas of HIPAA legislation.
The Administrative Simplification Rule of the Health Insurance Portability and Accountability Act (HIPAA) imposed obligations on health care clearinghouses, certain healthcare providers and health plans (collectively known as “Covered Entities”) to comply with national standards for electronic health care transactions, unique health identifiers, and data security.
The standards were developed by the U.S. Department of Health & Human Services and published in 2000 (the HIPAA Privacy Rule) and 2003 (the HIPAA Security Rule). Subsequent amendments, guidelines and companion Rules have shaped HIPAA compliance for self-insured group health plans to account for advances in technology and changes in working practices.
Definition of a Self-Insured Group Health Plan
Due to the complicated nature of HIPAA, and to better understand what HIPAA compliance for self-insured group health plans involves, it is practical to define what a self-insured group health plan is. A self-insured group health plan is one in which an employer assumes the financial risk for providing healthcare benefits to its employees as opposed to purchasing a “fully-insured” plan from an insurance carrier.
Typically, a self-insured employer will set up a special trust fund to earmark money (corporate and employee contributions) or use general funds to pay incurred claims, and either administer the plan themselves or – more commonly for larger employers – retain the services of an outside third-party administrator. A self-insured group health care plan can also include medical expense reimbursement flexible spending account plans (medical FSAs) and health reimbursement account plans (HRAs).
Exemptions from HIPAA Compliance for Self-Insured Companies
Exemptions from HIPAA compliance for self-insured companies are rare. Only if a group health plan is self-insured, self-administered and the employer has fewer than fifty employees is the company exempt from HIPAA compliance – provided medical FSAs and HRAs are also administered by the employer and not an outside third-party administrator. Providing an employee assistance plan or wellness plan can also trigger HIPAA compliance for self-insured companies.
Not surprisingly, there is a gray area of HIPAA compliance for self-insured companies known as “partial compliance”. Partial compliance is applicable when neither the sponsor of a group health plan nor its insurance agent has any access to or transmits Protected Health Information (PHI) electronically. These “hands off” group health plans only occur in specific circumstance, and generally most self-insured group health plans will be subject to HIPAA compliance.
What Does HIPAA Compliance for Self-Insured Group Health Plans Consist Of?
As mentioned above, HIPAA compliance for self-insured group health plans is one of the most complicated areas of HIPAA legislation. This is not only because it can be difficult to determine whether a company is subject to the legislation, but also because compliance requirements will vary from company to company depending on factors such as its size, the nature of its business and its internal organization.
Appoint a Privacy and Security Officer
Companies with self-insured group health plans should start by appointing a HIPAA Privacy Officer and a HIPAA Security Officer. These positions can be performed by the same person and/or an existing employee, and their first role is to identify where, why, and to what extent PHI is created, received, maintained or transmitted by the group health plan. This will likely involve many different departments such as IT, legal, payroll and HR.
Develop HIPAA-Compliant Privacy Policies
Once the discovery of PHI is completed, the next stage of HIPAA compliance for self-insured group health plans is to develop HIPAA-compliant privacy policies establishing the permitted uses and disclosures of PHI. This should take into account third-party administrators who – as a Business Associate – will also have to comply with HIPAA, and with whom it will be necessary to enter into a HIPAA Business Associate Agreement.
Develop HIPAA-Compliant Security Policies
One of the requirements of the HIPAA Security Rule is for Covered Entities to implement administrative, physical and technical safeguards to ensure the integrity of electronic PHI. In order to fulfil this requirement, Security Officers should conduct a risk assessment to identify any vulnerabilities that may lead to the unauthorized disclosure of electronic PHI, and – following a risk analysis – implement suitable measures and policies to address the vulnerabilities.
Develop a Breach Notification Policy
Despite a company´s best efforts to achieve HIPAA compliance for self-insured group health plans, they may be a time when an unauthorized disclosure of PHI occurs. Self-insured companies need to be prepared for such occurrences, and should develop a breach notification policy in order to advise employees that personal information may have been compromised, and the HHS Office for Civil Right when necessary.
Employee Training is Essential
In order to enforce the policies and ensure HIPAA compliance for self-insured companies, employee training is essential. As members of a self-insured group health plan, each employee should be given a notice of the plan´s privacy practices which can be used to explain why maintaining the integrity of PHI is essential. Each employee should also be given a copy of the company´s sanction policy explaining the consequences of failing to comply with the privacy, security and breach notification policies.
Further Information about HIPAA Compliance for Self-Insured Companies
Further information about HIPAA compliance for self-insured companies can be found in our “HIPAA Compliance Guide”. Our free-to-download guide provides more detailed information about the HIPAA Privacy Rule, the administrative, physical and technical safeguards of the HIPAA Security Rule, and the process for conducting risk assessments and risk analyses. You will also be able to find more information on Business Associates and Business Associate Agreements – an essential part of HIPAA compliance for self-insured group health plans if your company uses the services of an outside third-party administrator.