One of the most confusing aspects of HIPAA legislation is HIPAA compliance for self-insured group health plans and self-administered health group plans.
The Administrative Simplification Rules of the Health Insurance Portability and Accountability Act (HIPAA) put in place obligations on healthcare clearinghouses, certain healthcare providers and health plans (collectively known as “Covered Entities”) to adhere with national standards for electronic healthcare transactions, the use of unique identifiers, and privacy and security.
The standards were formulated by the U.S. Department of Health & Human Services and released in 2000 (the HIPAA Privacy Rule) and 2003 (the HIPAA Security Rule). Subsequent changes, guidelines and companion Rules have shaped HIPAA compliance for self-insured group health plans to allow for advances in technology and changes in working processes.
What is a Self-Insured Group Health Plan?
As a result of the complicated nature of HIPAA, and to better comprehend what HIPAA compliance for self-insured group health plans involves, it is practical to define what a self-insured group health plan actually is. A self-insured group health plan is one in which an employer takes on the financial risk for providing healthcare benefits to its staff as opposed to buying a “fully-insured” plan from an insurance provider.
Typically, a self-insured employer will establish a special trust fund to earmark money (corporate and employee contributions) to pay incurred claims and either administer the plan themselves or – more typically for larger employers – retain the services of an outside third-party administrator. A self-insured group health care plan can also incorporate medical expense reimbursement, flexible spending account plans (medical FSAs), and health reimbursement account plans (HRAs).
Self-Insured Companies and Exemptions from HIPAA Compliance
Exemptions from HIPAA compliance for self-insured companies are unusual. Only if a group health plan is self-insured, self-administered, and the employer has less than fifty employees is the firm exempt from HIPAA compliance – provided medical FSAs and HRAs are also managed by the employer and not an outside third-party administrator. Providing an employee assistance plan or wellness plan can also require HIPAA compliance for self-insured companies.
Unsurprisingly, there is a gray area of HIPAA compliance for self-insured companies known as “partial compliance”. Partial compliance is relevant when neither the sponsor of a group health plan nor its insurance agent has any access to or sends Protected Health Information (PHI) electronically. These “hands off” group health plans only happen in specific circumstance, and generally most self-insured group health plans will be required to comply with HIPAA.
What Makes Up HIPAA Compliance for Self-Insured Group Health Plans?
As mentioned previously, HIPAA compliance for self-insured group health plans is one of the most confusing areas of HIPAA legislation. This is not only because it can be difficult to deduce whether a company is subject to the legislation, but also because compliance requirements will differ from company to company depending on factors such as its size, the nature of its business and its structure. Generally speaking, the requirements for HIPAA compliance are:
Appoint a Privacy and Security Officer
Firms with self-insured group health plans should start by hiring a HIPAA Privacy Officer and a HIPAA Security Officer. These positions can be carried out by the same person and could be an existing member of staff. The first role is to identify where, why, and to what extent PHI is created, received, maintained, stored, or transmitted by the group health plan. This will likely involve the work of many different departments such as IT, legal, payroll and HR.
Develop HIPAA-Compliant Privacy Policies
Once the identification of PHI is finished, the next stage of HIPAA compliance for self-insured group health plans is to formulate HIPAA-compliant privacy policies establishing the allowable uses and disclosures of PHI. This should take into account third-party administrators who – acting as a Business Associate – will also have to adhere with HIPAA, and with whom it will be necessary to enter into a HIPAA Business Associate Agreement.
Formulate HIPAA-Compliant Security Policies
One of the necessary requirements of the HIPAA Security Rule is for Covered Entities to adopt administrative, physical and technical security measures to ensure the confidentiality, integrity, and availability of electronic PHI. In order to meet this requirement, Security Officers should complete a risk assessment to find any weaknesses that may lead to the unauthorized access or disclosure of electronic PHI, and – following the risk analysis – implement suitable measures and policies to address the weaknesses and reduce them to a reasonable and acceptable level.
Implement a Breach Notification Policy
Regardless of a company’s best attempts to achieve HIPAA compliance, there may come a time when an unauthorized disclosure of PHI happens. Self-insured companies need to be ready for such occurrences, and should develop a breach notification policy to alert employees that personal information may have been compromised, and also the HHS’ Office for Civil Rights.
Employee Training is Vital
In order to enforce the policies and ensure HIPAA compliance, employee training is vital. As subscribers to a self-insured group health plan, each worker should be given a notice of the plan’s privacy practices which explains the allowable uses and disclosures of PHI. Each employee should also be supplied with a copy of the company’s sanction policy explaining the consequences of failing to adhere with privacy, security and breach notification policies.