HIPAA compliance for self-insured health plans is not black and white. The nature and extent of a self-insured health plan’s compliance is determined by several factors, including the nature of the business of the employer sponsoring the plans, business size, and business organizational structure, among other factors.
What Are Self-Insured Health Plans?
Self-insured health plans (also known as self-insured group health plans, or self-funded plans) are plans in which the employer, instead of paying monthly premiums to an insurance carrier (i.e. instead of being “fully insured”) to insure its employees, pays for employee medical claims out of its own pocket. With a self-insured health plan, the employer – rather than a private insurer – assumes the financial risk of providing healthcare insurance benefits to its workers.
Typically, self-insured plans are funded by the employer setting up a special trust fund, funded with employee contributions, to pay for expenses as they are incurred.
What are the Reasons for Self-Funding?
Employers may opt for self-insured health plans for a variety of reasons. Having a self-insured health plan:
- Allows a company to customize its healthcare plan, to meet its workers’ specific healthcare needs.
- Allows the employer to pay for coverage as claims become due, instead of having to pre-pay in the form of monthly premiums.
- Simplifies legal compliance. Self-insured plans are regulated under a federal law known as the Employee Retirement Income Security Act (ERISA), as opposed to a patchwork of state health insurance laws, some of which may conflict with each other.
- Allows for the employer to avoid paying state health insurance premium taxes. Self-insured health plans are not subject to these taxes.
- Allows the employer to contract with those covered entities and healthcare providers best suited to meet individual healthcare needs.
Are Self-Insured Health Plans Subject to HIPAA?
Most self-insured health plans are subject to HIPAA. The specific requirements to which HIPAA compliance for self-insured health plans are subject depend upon factors such as the nature of the employer’s business, the size of the business, how the business is organized, and a number of other factors.
What Does HIPAA Compliance for Self-Insured Health Plans Consist of?
HIPAA compliance for self-insured health plans consists of the following measures (among others):
- Appointing a Privacy and Security Officer (Official). Employers sponsoring a self-insured health plan should designate a Privacy Officer and a Security Officer. The HIPAA privacy officer oversees the development, implementation, maintenance of, and adherence to privacy policies and procedures regarding the safe use and handling of protected health information (PHI) in compliance with HIPAA and with any applicable state laws. Meanwhile, the Security Officer is responsible for the continuous management of information security policies, procedures, and technical systems in order to maintain the confidentiality, integrity, and availability of electronic protected health information (ePHI) and of all organizational information systems. The Privacy Officer and Security Officer can be the same person, and can be an existing staff member. Officers typically consult and work with different departments of the employer, such as IT, legal, and HR, in the performance of their job duties. The initial task of the Privacy Officer should be to identify all existing PHI; the initial task of the Security Officer should be to identify all existing ePHI.
- Developing HIPAA-compliant privacy policies. After PHI and ePHI have been identified, the employer who maintains the self-insured health plan should develop HIPAA compliant policies and procedures. These policies and procedures should establish:
- When PHI or ePHI may be used or disclosed
- What workforce members may access PHI or ePHI
- When PHI or ePHI may not be used or disclosed
- The consequences to an employee for their violation of the policies or procedures