HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Compliance for Self-Insured Group Health Plans

HIPAA compliance for self-insured group health plans – or self-administered health group plans – is a complicated areas of HIPAA legislation.

The Administrative Simplification Rule of the Health Insurance Portability and Accountability Act (HIPAA) imposed requirements on health care clearinghouses, certain healthcare providers and health plans (collectively known as “Covered Entities”) to comply with national standards for the privacy of individually identifiable health information and the security of electronic Protected Health Information  at transit and at rest.

The standards were developed by the U.S. Department of Health & Human Services and published in 2000 (the HIPAA Privacy Rule) and 2003 (the HIPAA Security Rule). Subsequent amendments, guidelines and companion Rules have shaped HIPAA compliance for self-insured group health plans to account for advances in technology and changes in working practices. A Breach Notification Rule was added in 2009.

Definition of a Self-Insured Group Health Plan

Due to the complicated nature of HIPAA, and to better understand what HIPAA compliance for self-insured group health plans involves, it is practical to define what a self-insured group health plan is. A self-insured group health plan is one in which an employer assumes the financial risk for providing healthcare benefits to its employees as opposed to purchasing a “fully-insured” plan from an insurance carrier.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Typically, a self-insured employer will set up a special trust fund to earmark corporate and employee contributions or use general funds to pay incurred claims, and either administer the plan themselves or – more commonly for larger employers – retain the services of a third-party administrator. A self-insured group health care plan can also include medical expense reimbursement flexible spending account plans (medical FSAs) and health reimbursement account plans (HRAs).

Exemptions from HIPAA Compliance for Self-Insured Companies

Exemptions from HIPAA compliance for self-insured companies are rare. Only if a group health plan is self-insured, self-administered, and the employer has fewer than fifty employees is the company exempt from HIPAA compliance – provided medical FSAs and HRAs are also administered by the employer and not an outside third-party administrator. Providing an employee assistance plan or wellness plan can also trigger HIPAA compliance for self-insured companies.

Not surprisingly, there is a gray area of HIPAA compliance for self-insured companies known as “partial compliance”. Partial compliance is applicable when neither the sponsor of a group health plan nor its insurance agent has any access to or transmits Protected Health Information (PHI) electronically. These “hands off” group health plans only occur in specific circumstance, and generally most self-insured group health plans will be subject to HIPAA compliance.

What Does HIPAA Compliance for Self-Insured Group Health Plans Consist Of?

There are multiple elements to HIPAA compliance for self-insured group health plans, and many do not apply in all circumstances. Compliance requirements will vary from company to company depending on factors such as its size, the nature of its business, whether it operates public-facing offices, and its internal organization. The following is a brief HIPAA compliance checklist for self-insured group health plans.

Appoint a Privacy and Security Officer

Companies with self-insured group health plans have to appoint a HIPAA Privacy Officer and a HIPAA Security Officer. These positions can be performed by the same person and/or an existing member of the workforce, and their first role is to identify where, why, and to what extent PHI is created, received, maintained, or transmitted by the group health plan. This will likely involve many different departments such as IT, legal, payroll, and HR.

Analyze Uses and Disclosures of PHI

Once the discovery of PHI is complete, the Privacy and Security Officers should analyze uses and disclosures of PHI to ensure they fall within those permitted by the Privacy Rule. Where necessary, the Privacy Officer made need to obtain authorizations from employees for some uses and disclosures of PHI that require them. Note: Employers are not permitted to take retaliatory action or discriminate against employees who refuse to give their authorization.

Develop HIPAA-Compliant Privacy Policies

The next stage of HIPAA compliance for self-insured group health plans is to develop HIPAA-compliant privacy policies establishing how PHI can be used and disclosed. This should take into account third-party administrators who – as Business Associates – also have to comply with the Security and Breach Notification Rules and elements of the Privacy Rule, and with whom it will be necessary to enter into a HIPAA Business Associate Agreement.

Develop HIPAA-Compliant Security Policies

One of the requirements of the HIPAA Security Rule is for Covered Entities to implement administrative, physical and technical safeguards to ensure the integrity of electronic PHI. In order to fulfil this requirement, Security Officers should conduct a risk assessment to identify any vulnerabilities that may lead to unauthorized access to electronic PHI, and – following a risk analysis – implement suitable measures and policies to address any vulnerabilities.

Develop a Breach Notification Policy

Despite a company´s best efforts to achieve HIPAA compliance for self-insured group health plans, they may be a time when an unauthorized disclosure of PHI occurs. Self-insured companies need to be prepared for such occurrences, and should develop a breach notification policy in order to advise employees that personal information may have been compromised. The policy should also cover notifications to HHS´ Office for Civil Right when necessary.

Employee Training is Essential

In order to enforce the policies and ensure HIPAA compliance for self-insured companies, employee training is essential. As members of a self-insured group health plan, each employee should be given a notice of the plan´s privacy practices which can be used to explain why maintaining the integrity of PHI is essential. Each employee should also be given a copy of the company´s sanctions policy that explains the consequences of failing to comply with the privacy, security, and breach notification policies.

Further Information about HIPAA Compliance for Self-Insured Companies

Although the Department of Health and Human Service provides a great deal of HIPAA information on its website, relatively little relates to HIPAA compliance for self-insured group health plans. Companies unsure about their compliance requirements should seek professional help to – first – determine their plan is subject to the HIPAA requirements, and then obtain help for ticking off the items on the HIPAA compliance checklist.

HIPAA Compliance for Self-Insured Group Health Plans: FAQs

Do the same HIPAA Rules apply if the plan is an HMO or PPO?

Regardless of whether a self-insured group health plan operates under a Health Maintenance Organization model (HMO) or Preferred provider Organization model (PPO) the same requirements exist to ensure the privacy of employees´ individually identifiable health information and the security of electronic Protected Health Information.

What is the difference between individually identifiable health information and electronic Protected Health Information?

Individually identifiable health information is health information that alone or with other common identifiers could be used to identify a health plan member. When common identifiers such as a member´s name, date of birth, or address are stored in a designated record set with the health information, they adopt the same protections as the health information.

What if a company has nobody ready to take the roles of Privacy and/or Security Officer?

If a company does not have an existing member of the workforce with sufficient knowledge to take the roles of Privacy and/or Security Officer – and lacks the resources to employ a full-time compliance officer – it is possible to contract short-term compliancy services until such time as an existing member of the workforce has the skills and knowledge to assume the compliance roles.

What are the penalties for failing to comply with HIPAA?

The penalties for failing to comply with HIPAA varying according to such considerations as the nature of the violation(s), the number of records exposed in a data breach (if any), and the efforts made by the Covered Entity to reduce the risk of the violation(s) to an acceptable and reasonable level.

In most cases, HHS´ Office for Civil Rights will offer technical assistance to prevent the violation happening again or impose a corrective action plan if the violation is attributable to an underlying culture of non-compliance. Only in a minority of cases will HHS´ Office for Civil Rights impose a financial civil penalty. In such cases, the amount of the penalty reflects the level of culpability:

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit
Tier 1 Reasonable Efforts $127 $63,973 $1,919,173
Tier 2 Lack of Oversight $1,280 $63,973 $1,919,173
Tier 3 Neglect – Rectified within 30 days $12,794 $63,973 $1,919,173
Tier 4 Neglect – Not Rectified within 30 days $63,973 $1,919,173 $1,919,173

Are disclosures of PHI for workers´ comp purposes permissible under the Privacy Rule?

Yes. However, disclosures of PHI for workers comp purposes must comply with the “minimum necessary standard”. This standard stipulates that only the minimum amount of PHI required to accomplish the intended purpose should be disclosed – unless a state-run workers´ comp program is exempted under 45 CFR §164.502(b)(2)(v) and §164.5612(a)(1).

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.