Even some of the more basic aspects of the Health Insurance Portability and Accountability Act (HIPAA) can be difficult to understand, but when it comes to self-insured or self-administered health group plans, the level of complexity goes up a notch.
Under HIPAA, healthcare clearing houses, providers, and health plans (referred to as covered entities), are obligated to meet standards relating to electronic healthcare transaction, unique health identifiers, and information security. This is part of HIPAA’s Administrative Simplification Rule.
These standards were laid down and enacted as part of the HIPAA Privacy Rule (2000) and the HIPAA Security Rule (2003). Since these were introduced by the Department of Health & Human Services (HHS), further amendments, guidelines, and companion Rules have altered what HIPAA compliance means for self-insured group health plans as technology evolves and working norms shift.
Definition of a Self-Insured Group Health Plan
To try to simplify this broad and complex topic, we must first define what is meant by a self-insured group health plan. A self-insured group health plan is one in which an employer assumes the financial risk for providing healthcare benefits to its employees as opposed to purchasing a “fully-insured” plan from an insurance carrier.
It is common for self-insured employers to establish a trust fund with employer and employee contributions, or else to use general funds, to pay for incurred claims. The plan can be self-administered or managed by a third party. These plans may also cover medical expense reimbursement flexible spending account plans (medical FSAs) and health reimbursement account plans (HRAs).
HIPAA Exemptions for Self-Insured Companies
In a small number of cases, self-insured companies may be exempt from HIPAA Rules. This applies to self-insured, self-administered health plans for employers with fewer than 50 employees where medical FSAs and HRAs are also managed by the employer. Employee wellness or assistance plans may require self-insured group health plans to be HIPAA compliant.
This leaves some self-insured enterprises in a “partial compliance” gray area. This occurs when health group sponsors or insurance agents do not have access to and do not electronically share protected health information (PHI). This is a rare occurrence and the majority of group health plans need to be HIPAA compliant.
What Does HIPAA Compliance for Self-Insured Group Health Plans Mean?
This is a complicated area of law due to the fact that it is not always clear who is affected. Those who are affected may have different responsibilities based on their size, the type of business, and their internal structure.
Appointing Privacy and Security Officers
A first step for those with self-insured group health plans is to appoint HIPAA Privacy and Security Officers. Both of these roles can be performed by a single person who may already be an employee of the company. The Officer or Officers should start by determining where, why, and how much PHI is created, received, stored, or shared by the group health plan. This will probably require a transverse approach with inputs from HR, IT, legal, and payroll.
Develop HIPAA Compliant Privacy Policies
When the volume and nature of PHI is understood, the self-insured group health plan must introduce procedures to manage how PHI can be used and disclosed, in compliance with HIPAA Rules. Any third party administrators should be considered while developing these. As a Business Associate, they will also be subject to HIPAA regulations and will need to sign a HIPAA Business Associate Agreement (BAA).
Develop HIPAA Compliant Security Policies
The HIPAA Security Rule obliges covered entities to use administrative, technical, and physical safeguards to protect the integrity of electronic PHI (ePHI). Security Officers must carry out risk assessments to search for any areas that may lead to ePHI disclosures. Should such weaknesses be found, plans should be drawn up to minimize and manage the risks.
Develop a Breach Notification Policy
Accidents happen even when robust procedures are in place to limit PHI breaches. Self-insured groups should plan contingencies and develop procedures to notify staff and the HHS as appropriate should ePHI be disclosed.
Training for Staff is Key
Staff must be trained in all aspects of the new procedures for companies to remain HIPAA compliant. Employees, as members of the self-insured plan, should be provided with information about the privacy procedures and why the PHI should be kept securely. They should also receive a record of any disciplinary policy that the company has introduced to enforce HIPAA compliance.