One of the most confusing aspects areas of HIPAA legislation is HIPAA compliance for self-insured group health plans – or self-administered health group plans.
The Administrative Simplification Rule of the Health Insurance Portability and Accountability Act (HIPAA) put in place obligations on health care clearinghouses, certain healthcare providers and health plans (collectively known as “Covered Entities”) to adhere with national standards for electronic health care transactions, unique health identifiers, and data security.
The standards were formulated by the U.S. Department of Health & Human Services and released in 2000 (the HIPAA Privacy Rule) and 2003 (the HIPAA Security Rule). Subsequent changes, guidelines and companion Rules have shaped HIPAA compliance for self-insured group health plans to allow for advances in technology and changes in working processes.
What is a Self-Insured Group Health Plan?
As a result of the complicated nature of HIPAA, and to better comprehend what HIPAA compliance for self-insured group health plans involves, it is practical to define what a self-insured group health plan actually is. A self-insured group health plan is one in which an employer takes on the financial risk for providing healthcare benefits to its staff as opposed to buying a “fully-insured” plan from an insurance provider.
Typically, a self-insured employer will establish a special trust fund to earmark money (corporate and employee contributions) to pay incurred claims and either administer the plan themselves or – more typicallly for larger employers – retain the services of an outside third-party administrator. A self-insured group health care plan can also incorporate medical expense reimbursement flexible spending account plans (medical FSAs) and health reimbursement account plans (HRAs).
Self-Insured Companies and Exemptions from HIPAA Compliance
Exemptions from HIPAA compliance for self-insured companies are unusual. Only if a group health plan is self-insured, self-administered and the employer has less than fifty employees is the firm exempt from HIPAA compliance – provided medical FSAs and HRAs are also managed by the employer and not an outside third-party administrator. Providing an employee assistance plan or wellness plan can also lead to HIPAA compliance for self-insured companies.
Unsurprisingly, there is a gray area of HIPAA compliance for self-insured companies known as “partial compliance”. Partial compliance is relevant when neither the sponsor of a group health plan nor its insurance agent has any access to or sends Protected Health Information (PHI) electronically. These “hands off” group health plans only happen in specific circumstance, and generally most self-insured group health plans will be covered by HIPAA compliance.
What Makes Up HIPAA Compliance for Self-Insured Group Health Plans?
As mentioned previously, HIPAA compliance for self-insured group health plans is one of the most confusing areas of HIPAA legislation. This is not only because it can be difficult to deduce whether a company is subject to the legislation, but also because compliance requirements will differ from company to company depending on factors such as its size, the nature of its business and its inner organization.
Hire a Privacy and Security Officer
Firms with self-insured group health plans should start by hiring a HIPAA Privacy Officer and a HIPAA Security Officer. These positions can be carried out by the same person and/or an existing member of staff, and their first role is to identify where, why, and to what extent PHI is created, received, maintained or transmitted by the group health plan. This will likely involve the work of many different departments such as IT, legal, payroll and HR.
Develop HIPAA-Compliant Privacy Policies
Once the identification of PHI is finished, the next stage of HIPAA compliance for self-insured group health plans is to formulate HIPAA-compliant privacy policies establishing the allowable uses and disclosures of PHI. This should take into account third-party administrators who – as a Business Associate – will also have to adhere with HIPAA, and with whom it will be necessary to complete a HIPAA Business Associate Agreement.
Formulate HIPAA-Compliant Security Policies
One of the necessary requirements of the HIPAA Security Rule is for Covered Entities to adapt administrative, physical and technical security measures to ensure the integrity of electronic PHI. In order to meet this requirement, Security Officers should complete a risk assessment to find any weaknesses that may lead to the unauthorized disclosure of electronic PHI, and – following a risk analysis – implement suitable measures and policies to address the weaknesses.
Implement a Breach Notification Policy
Regardless of a company´s best attemps to achieve HIPAA compliance for self-insured group health plans, they may be a time when an unauthorized disclosure of PHI happens. Self-insured companies need to be ready for such occurrences, and should develop a breach notification policy in order to alert employees that personal information may have been compromised, and the HHS Office for Civil Right when needed.
Employee Training is Vital
In order to enforce the policies and ensure HIPAA compliance for self-insured companies, employee training is vital. As subscribers to a self-insured group health plan, each worker should be given a notice of the plan´s privacy practices which can be used to explain why maintaining the integrity of PHI is critical. Each employee should also be supplied with a copy of the company´s sanction policy explaining the consequences of failing to adhere with the privacy, security and breach notification policies.