What is a Self-Insured Health Plan and Does HIPAA Apply?

What is a Self Insured Health Plan

Many people who have health insurance cards from United Healthcare, Cigna, or a variety of other companies do not actually have health insurance with those companies. Their employer is actually providing their health insurance coverage through a self-insured health plan.

A recent survey found nearly two-thirds of employees with employer-sponsored health plans were self-insured plans. What makes these plans different from fully insured plans, and how do laws such as HIPAA apply? 

A Quick Overview of Self-Insured Health Plans

As the name suggests, a self-insured plan is funded by the employer to cover employee claims. The employer assumes the risk for employee health claims. 

With fully-insured plans, an employer purchases health insurance (usually through a combination of employer and employee contributions) from a commercial insurance company. The insurance company then assumes all coverage risks for employees.

Most private companies with more than 200 employees are self-insured. They often contract with major insurance carriers like Blue Cross, United Healthcare, Cigna, and Humana to provide plan administration and access to provider networks. These large companies also offer products to limit risk and cost volatility, making it easier for small companies to self insure.

Schedule a Demo

See the software that makes tracking compliance a breeze!

Healthcare Compliance Software - CG

Key Differences in Self-Insured Health Plans

While fully-insured health plans are subject to a few federal regulations such as HIPAA, COBRA, and the Affordable Care Act (ACA), most of the regulations of these plans are imposed by the individual states in which they operate. 

Self-insured plans are not subject to those regulations. So if a state passes regulations requiring certain coverage such as vasectomies or dental and vision care, self-insured plans are exempted from those requirements. 

Certain provisions of the ACA do not apply to self-insured plans, including medical loss ratio rules, requirements to provide essential health benefits, and three to one premium limits.

Self-insured plans also have greater flexibility in what coverages they offer, allowing plans to be more customized to the needs of the employees and the employer.

Who Regulates Self-Insured Health Plans?

Self-insured plans are regulated at the federal level under the Employee Retirement Income Security Act (ERISA). They are also subject to HIPAA rules, including a prohibition from rejecting an eligible employee or dependent based on medical history. 

Self-insured plans must also abide by the following provisions of the ACA: 

  • No waiting periods for pre-existing conditions
  • Out of pocket expense limits
  • Dependents are allowed to remain on the plan until age 26
  • Employers with more than 50 full-time equivalent employees must provide coverage that is affordable and provides minimum value

The federal law prohibiting surprise balance billing that took effect in 2022 also applies to self-insured plans.

HIPAA and Self-Insured Health Plans

For a self-insured company to be exempt from HIPAA regulations, it must meet the following standards: the group health plan must be self-insured, self-administered (including medical FSAs and HSAs), and have fewer than 50 employees. If an Employee Assistance Program or wellness program is offered, the plan must be HIPAA compliant.

There is also a status known as partial compliance, which may apply if neither the group health plan sponsor nor its insurance agent has access to or transmits electronic protected health information (ePHI). These instances are rare, and a determination should only be made following consultation with experts who are very knowledgeable about the conditions.

Most self-insured companies must comply with HIPAA. This is one of the most complicated areas of HIPAA legislation specifically because the needs of each company can be so different.

Further complicating the process is the fact that HIPAA compliance is an all-or-nothing proposal. You must fully comply with all of the rules, assessments, and standards, including the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule, and the HIPAA Omnibus Rule. There is no such thing as being almost compliant.

The good news is that Compliancy Group has the knowledge and expertise to help self-insured companies achieve HIPAA compliance as painlessly as possible. We pair our compliance tracking software, The Guard, with a dedicated Compliance Coach who will guide you through the software, point you toward answers in our extensive knowledge base, and empower your organization to become fully and confidently HIPAA compliant.

See How It Works