Association Health Plans & HIPAA Compliance

In October 2017, President Trump published Executive Order 13813 – “Promoting Healthcare Choice and Competition across the United States”. The Executive Order directs the Administration to allow the purchase of health coverage across State borders in order to enhance competition in healthcare markets and limit excessive consolidation throughout the healthcare sector.

In order to reach the objectives of the Executive Order, the President suggests growing existing alternatives to the “expensive, mandate-laden Patient Protection and Affordable Care Act”. The current alternatives include Association Health Plans, Short-Term Limited-Duration Insurance Plans, and Health Reimbursement Arrangements.

HHS´ Proposed Rule Widens the Criteria of ERISA

The HHS´ proposed rule tackles the requirements of the Executive Order by  widening the criteria of the Employee Retirement Income Security Act (ERISA). Under the proposed amendments, the definition of an “employer” is changed in part to include small businesses and self-employed workers who have a “commonality of interest” – for example a common geography or sector.

The amended definition of an employer permits small business and self-employed workers to establish an association for the purposes of obtaining less expensive health coverage through economies of scale. In this regard, Association Health Plans are no different to Multiple Employer Welfare Arrangements or Professional Employer Organization plans except that – by allowing a “commonality of interest” based on industry – States´ rights to regulate the providers of Association Health Plans are taken away.

The proposed rule also exempts Association Health Plans from being handled the same as individual and small-group insurance plans. Whereas HIPAA compliance for Association Health Plans will apply in that the plans cannot exclude an employee with a pre-existing condition from coverage, the plans will be able to charge different premiums in relation to employees´ age, gender or industry; and are not required to provide the same level of benefits as mandated by the Affordable Care Act.

The Consequences of the Proposed Amendments to ERISA

If the HHS´ proposed rule is implemented, the consequences will be major. The chance to take advantage of lower premiums for young male employees working in safe industries will prompt many qualifying small businesses and self-employed workers to join or set up Association Health Plans. According to the Department of Labor, up to 11 million employees would qualify for less expensive healthcare insurance under the proposed rule.

Currently there are fewer than two hundred Association Health Plans in operation throughout the nation. With the necessity to show the Association is “bono fide” (as required by many states) and the regulatory and administrative requirements of the Affordable Care Act taken away, the chance is the number will increase to more than one thousand – similar to the levels reported in the 1990s. There are however negative consequences also.

With up to 11 million staff choosing to opt out of insurance policies regulated by the Affordable Care Act, premiums for staff in large fully-insured group plans will increase. The effect has been compared to the creation of a “high-risk pool” catering for older and sicker workers employed in high-risk sectors. Companies may not only suffer from increased premiums, but also higher deductibles in order to maintain the level of benefits made obligatory by the Affordable Care Act.

HIPAA Compliance Obligations Remain Exactly as Previously

The removal of States´ rights to regulate Association Health Plan suppliers and the removal of Affordable Care Act requirements has no impact on HIPAA compliance for Association Health Plans.

Regardless of whether the plan is fully-insured, fully-insured with a high deductible, or self-insured, employers and plan administrators have exactly the same HIPAA compliance obligations as previously.

What will likely be amended is the number of health plans HIPAA applies to if the fivefold rise in Association Health Plans occurs as expected. There may also be more unauthorized disclosures of Protected Health Information due to the inexperience of the parties managing the plans – particularly if the plans are self-insured and self-administered.

Under HIPAA, all health plans are referred to as “Covered Entities”. Covered Entities must adhere with the HIPAA regulations in their entirety to ensure the safety, integrity and confidentiality of Protected Health Information at rest or on the move (an explanation of “Protected Health Information” is provided in the Guide). The HHS – who is charged with enforcing HIPAA – can issue fines for non-compliance with HIPAA, and parties in breach of the regulations can also be hit with civil action and criminal prosecution.

Most small companies and self-employed workers joining an existing fully-insured plan will likely not have to worry about HIPAA compliance for Association Health Plans, as it is the plan – and not the individual subscriber to the plan – that are responsible for compliance with HIPAA. Smaller plans may engage third-party administrators, who act on behalf of the Covered Entity as “Business Associates” and who must ensure the integrity of the Protected Health Information they handle.

When HIPAA compliance for Association Health Plans does become vital to be aware of is when the plan is self-insured (also known as “employee-sponsored”) and self-administered. Although individual workers are still regarded as separate entities, they will encounter Protected Health Information in the course of executing administrative duties on behalf of the plan and are bound by HIPAA or how the Protected Health Information can be used and shared.

Regulations for Employer Use of Protected Health Information

If an employer is providing a self-insured Association Health Plan (on behalf of his staff or on behalf of other members´ employees) each worker must be given a Notice of Privacy Practices explaining how their Protected Health Information can and cannot be used. For instance, the HIPAA Privacy Rule prohibits employers for using Protected Health Information for employment-related actions (unless permitted by the employee the Protected Health Information relates to).

To ensure HIPAA compliance for Association Health Plans, the administering employer must establish a policy for the plan determining the permitted uses of Protected Health Information by the plan sponsor(s). This necessitates a certification from the plan sponsor(s) that:

  • Staff information will not be disclosed outside the permitted uses unless permitted by the employee.
  • Agents and sub-contractors will not be allowed access to Protected Health Information without a similar certification.
  • Protected Health Information will not be used or shared for employment-related reasons  (as mentioned above).
  • Employee information will be shared with employees who request it, amended as necessary, and deleted when it is no longer needed.
  • The plan sponsor(s) will report any use or disclosure of which it is knowledgeable is inconsistent with the permitted and required uses and disclosures.
  • Policies for settling unauthorized disclosures and issues of non-HIPAA compliance for Association Health Plans are established (and adhered to).
  • Policies and records retained by the plan sponsor(s) relating to the use and disclosure of Protected Health Information received from the plan will be made to HHS inspectors should an investigation or HIPAA audit take place.

If a self-insured Association Health Plan uses a third-party administrator, a certification may also be needed from the plan sponsor(s) to address the allowable uses and disclosures of Protected Health Information received directly by the sponsor(s) from the third-party administrator.


As there are so many different possible scenarios relating to HIPAA compliance for Association Health Plans, it is not possible to cover them all in a single article. Areas like a plan’s capabilities to send and receive HIPAA-standard transactions and employers who supply on-site medical facilities have not been discussed, nor have the penalties for HIPAA violations.

Therefore, small firms and self-employed workers thinking about the benefits of an Associated Health Plan should seek professional advice before completing an agreement with an existing plan or joining a new plan with a self-administered structure. Associated Health Plans will not be as stringently regulated as health plans covered by the Affordable Care Act, but it is still vital to understand and put in place HIPAA compliance for Association Health Plans.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.