HIPAA compliance for self-insured group health plans – or self-managed health group plans – is one of the most confusing and complex areas of HIPAA legislation.
The Administrative Simplification Rule of the Health Insurance Portability and Accountability Act (HIPAA) placed obligations on health care clearinghouses, certain healthcare providers and health plans (collectively known as “Covered Entities”) to adhere with national standards for electronic health care transactions, unique health identifiers, and data security.
The standards were put in place by the U.S. Department of Health & Human Services and released in 2000 (the HIPAA Privacy Rule) and 2003 (the HIPAA Security Rule). Later amendments, guidelines and companion Rules have formed HIPAA compliance for self-insured group health plans to take into account for advances in technology and changes in working practices.
Self-Insured Group Health Plan Definition
Due to the complex nature of HIPAA, and to better understand what HIPAA compliance for self-insured group health plans involves, it is practical to define what a self-insured group health plan is. A self-insured group health plan is one in which an employer takes on board the financial risk for providing healthcare advantages to its employees as opposed to purchasing a “fully-insured” plan from an insurance carrier.
Usually, a self-insured employer will establish a special trust fund to earmark money (corporate and employee contributions) or use general funds to pay incurred claims, and either manage the plan themselves or – more typically for larger employers – retain the services of an outside third-party administrator. A self-insured group health care plan can also incorporate medical expense reimbursement flexible spending account plans (medical FSAs) and health reimbursement account plans (HRAs).
HIPAA Compliance for Self-Insured Companies Exemptions
HIPAA compliance exemptions for self-insured companies are unusual. Only if a group health plan is self-insured, self-administered and the employer has less than fifty employees is the company exempt from HIPAA compliance – once medical FSAs and HRAs are also managed by the employer and not an external third-party administrator. Providing an employee assistance plan or wellness plan can also allow HIPAA compliance for self-insured companies.
As is to be expected, there is a gray area of HIPAA compliance for self-insured companies known as “partial compliance”. Partial compliance is applicable when neither the sponsor of a group health plan nor its insurance agent has any control over or sends Protected Health Information (PHI) electronically. These “hands off” group health plans only take place in specific circumstance, and generally most self-insured group health plans will be subject to HIPAA compliance.
What Does HIPAA Compliance for Self-Insured Group Health Plans Include?
1. Designate a Privacy and Security Officer
Businesses with self-insured group health plans should start by designating a HIPAA Privacy Officer and a HIPAA Security Officer. These positions can be carried out by the same person and/or an existing employee, and their first role is to discover where, why, and to what extent PHI is created, received, maintained or sent by the group health plan. This will likely involve many different departments such as IT, legal, payroll and HR.
2. Establish HIPAA-Compliant Privacy Policies
Once the discovery of PHI is completed, the next phase of HIPAA compliance for self-insured group health plans is to set up HIPAA-compliant privacy policies establishing the permitted uses and disclosures of PHI. This should take into account third-party administrators who – as a Business Associate – will also have to adhere with HIPAA, and with whom it will be necessary to complete a HIPAA Business Associate Agreement.
3. Set up HIPAA-Compliant Security Policies
One of the obligations of the HIPAA Security Rule is for Covered Entities to adapt administrative, physical and technical safeguards to ensure the integrity of electronic PHI. In order to meet this requirement, Security Officers should carry out a risk assessment to identify any flaws that may lead to the unauthorized disclosure of electronic PHI, and – following a risk analysis – implement suitable measures and policies to address the weaknesses.
4. Create a Breach Notification Policy
Despite a company’s best attempts to achieve HIPAA compliance for self-insured group health plans, it may happen that an unauthorized disclosure of PHI takes place. Self-insured companies need to be prepared for such instances, and should develop a breach notification policy in order to show employees that personal information may have been compromised, and the HHS Office for Civil Right when required.
5. Provide Employee Training
In order to enforce the policies and ensure HIPAA compliance for self-insured businesses, employee training is vital. As subscribers to a self-insured group health plan, each employee should be given a notice of the plan´s privacy practices which can be used to outline why maintaining the integrity of PHI is essential. Each staff member should also be given a copy of the company’s sanction policy explaining the consequences of failing to adhere with the privacy, security and breach notification policies.