Skip to content
a doctor using a stethoscope to check a patient's pulse

9 Things to Consider for Self-Insured Health Plan HIPAA Compliance

Feb 15, 2024

It’s been 28 years since President Clinton signed the Health Insurance Portability and Accountability Act (“HIPAA”) into law and 22 years since the first Administrative Simplification Rules became effective. However, HIPAA compliance is still challenging for many HIPAA-regulated entities.

HIPAA compliance has shown to be a challenge for self-insured health plans, with almost all failing to address the requirements. Lack of familiarity with HIPAA components can leave employers ill-equipped to effectively address any HIPAA shortcomings adequately. Employers should treat these requirements the same as any other fiduciary duty.

In this article, we’ll cover:

  • The types of entities required to comply with HIPAA privacy and security requirements.
  • The type of health plans that HIPAA covers.
  • Nine things to consider for Self-Insured Health Plan HIPAA compliance.
  • How to correct deficiencies related to those nine considerations.

Who does HIPAA apply to?

HIPAA privacy and security requirements apply to health providers, insurance companies, and employer-sponsored group health plans.

The employers who sponsor these health plans are not directly under HIPAA’s legal rules. Instead, HIPAA treats the health plan itself as a separate entity that must follow its rule. However, practically speaking, the employers who sponsor the plans are the ones responsible for making sure that their health plans comply with HIPAA.

What types of health plans does HIPAA apply to?

This responsibility extends to all employer plans that cover health care, including:

  • Medical
  • Dental
  • Vision
  • Prescription drugs
  • Health reimbursement arrangements
  • Health flexible spending accounts
  • Most Employee Assistance Programs that provide medical care

Wellness programs are not part of a group-insured health plan.

HIPAA applies to all health plans regardless of whether they are insured or self-funded. However, sponsors of insured plans with limited access to their protected health information (“PHI”) will have much fewer compliance obligations. This is because the insurer (also a covered entity) will assume most of the responsibilities concerning the plan. Third-party administrators (“TPAs") cannot assume the same duties for their self-insured clients. TPAs are considered "business associates" and have their own HIPAA responsibilities.

9 Considerations for HIPAA Compliance

#1 Consider All Plans Offered

Many health plans employers offer subject to HIPAA privacy and security requirements, not just the standard group health plan. Employers should review all plans they sponsor to determine which are encompassed by HIPAA. Suppose an employer only pays attention to its group health plan. In that case, PHI associated with other health plans may not be adequately protected. For example, if employers sponsoring insured group health plans who have limited access to their plan’s PHI are relying on the “lighter” compliance requirements that apply, there could be a problem if the employer also sponsors a self-funded plan (such as a health FSA or health reimbursement arrangement (“HRA”)).

Plan sponsors should review every health plan to determine which are subject to HIPAA privacy and security requirements. HIPAA permits plan sponsors to designate their plans as a single Organized Health Care Arrangement (“OHCA”), allowing the plan sponsor to undertake just one compliance effort on behalf of all plans and policies.

#2 Focus on Full Compliance

Often, employers want to know if there is a certification program that an entity can complete that deems the entity HIPAA compliant, but unfortunately none exists. Employers need to be careful to avoid falling into the trap of thinking that one or two compliance efforts are sufficient, and instead focus on full compliance.

Employers must have written policies and procedures in place that are appropriately implemented and overseen. Appointing a Privacy or Security Official and having a Notice of Privacy Practices is required, rather than simply providing training to existing employees. Consider all the privacy and security requirements as interconnected pieces. Each part contributes to the whole puzzle of HIPAA compliance.

#3 Don’t Rely on the TPA for Compliance

Employers sponsoring self-funded health plans have no regulatory exception to their compliance obligations, similar to insured health plans. The employer must do more than delegate these obligations, even though it has delegated most of its plan administration responsibilities to its TPA.

As a plan sponsor, the employer is still fully responsible for making sure that required policies and procedures are in place. The employer must appropriately address all HIPAA rules under privacy and security. While the employer may delegate many of these obligations to the TPA through a business associate agreement, it must recognize its obligations.

First, an employer must understand the covered entity’s duties under HIPAA. Next, it must determine which responsibilities will be delegated to the TPA. Finally, the employer should communicate to the TPA through the business associate agreement how the TPA is expected to handle PHI and administer the plan.

#4 Conduct a Risk Analysis

The Security Rule requires all covered entities (and business associates) to conduct a risk analysis. The risk analysis aims to review the employer’s security controls in light of HIPAA’s requirements and determine the level of risk to the plan’s PHI. Failing to conduct an adequate risk analysis and taking appropriate mitigation steps for issues identified as higher risk can increase the entity’s risk of a breach and exposure to civil penalties. When we look at one of the major causes of many breach settlements over the past few years, failure to conduct a risk analysis is one of the most commonly cited failures.

The Security Rule does not prescribe a methodology for conducting a security analysis. Typically, the process will involve gathering an inventory of the systems/applications where ePHI is stored/maintained/transmitted and looking at existing security controls that are in place as compared to the controls contained in the security rule. The entity should decide the level of risk it believes it has concerning its ePHI and then develop a mitigation plan for those risks. The risk analysis must then be reviewed periodically, preferably annually, to make any necessary updates.

#5 Properly Identify PHI

Since employers have multiple duties, PHI can be a tricky concept. The collection of PHI only occurs with the collection of individually identifiable health information transmitted or received by the health plan and made a part of the health plan records. In other roles, the employer may handle individually identifiable information for many reasons unrelated to its health plan.

For example, employers might collect the results of drug tests as a condition of hire or may require medical certifications from doctors to support a request for leave under FMLA. If an employer is using medical information in its role as an employer and not for purposes of administering its plan, that information is not PHI. It may be the same type of information, but if it’s not coming from the employer’s health plan records, then it’s not PHI in the hands of the employer. It’s important to handle this kind of employer information carefully, but it is not subject to HIPAA.

On the other end of the spectrum, there is the problem of employers thinking that information is only PHI if it contains detailed claims information such as a diagnosis code or discusses treatment. The definition of PHI is comprehensive. The information can refer to a name or a date of birth. Any individually identifiable information gathered from the health plan records is PHI.

Employers must properly classify individually identifiable information to determine the proper safeguards to protect that information. Whether HIPAA protects the information or not,  it will invariably be protected under some other federal or state law.

#6 Identify Business Associates

A “business associate” is a person or entity, other than a member of a covered entity's workforce, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to PHI.  For example, a business associate could be a subcontractor who creates, receives, maintains, or transmits protected health information on behalf of another business associate.

The HIPAA Rules generally require covered entities and business associates to enter contracts (Business Associate Agreements or “BAAs”) to make sure that the business associate safeguards protected health information appropriately. The BAA also clarifies and limits, as appropriate, the permissible uses and disclosures of protected health information by the business associate based on the relationship between the parties and the activities or services being performed by the business associate.

A business associate may use or disclose protected health information only as permitted or required by its BAA or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its BAA or required by law. A business associate is also directly liable and subject to civil penalties for failing to safeguard ePHI in accordance with the HIPAA Security Rule. Without BAAs, the employer violates HIPAA and exposes the entity to increased liability.

#7 Tailor the Notice of Privacy Practices

The Notice of Privacy Practices (“NPP”) is the document that describes an individual’s rights concerning their PHI. It informs the individual how the plan uses and discloses PHI and what its legal obligations are concerning the PHI. Since plans will have unique practices for using and disclosing PHI, the NPP must be appropriately modified to describe these practices accurately. In addition, the NPP should be clear about which plans it applies to, such as the medical, dental, or vision plan.

Employers often rely on an NPP provided by their health insurance carrier that does nothing to address HIPAA obligations of other plans the employer sponsors, such as the dental plan, vision plan, or health FSA. Employers may need to draft their own NPP to address multiple plans properly.

#8 Provide Training

HIPAA requires training under both the Privacy and Security Rules. Without a prescribed training format, plan sponsors have flexibility in developing their training. Employers shouldn’t focus so much on privacy that they overlook the security components, including identifying and avoiding malware, training employees on the company’s password policies, etc.

Although privacy training needs to be provided only to employees responsible for plan administration and with access to PHI in that role, security training should be provided to all employees since everyone uses the company’s electronic systems vulnerable to attacks/viruses.

Training on the policies and procedures should extend beyond those that are directly relevant to an individual’s functions. Otherwise, the training could result in violations related to areas of the Privacy Rule, such as patient consent and responding to access requests, if these events are unusual to an employee´s regular functions and the employee has received no training on them.

#9 Hybrid Entity

Under the HIPAA Privacy Rule, any entity that meets the definition of a covered entity, regardless of size or complexity, will generally be subject to the Privacy Rule. That is, the entire entity will be subject to all the rules. However, this result can be avoided by designating the entity a HIPAA hybrid entity. Having valid HIPAA hybrid entity status offers entities a certain regulatory relief. As a general matter, only the designated healthcare components of the entity will have to comply with the full scope of the HIPAA Privacy Rule; the non-healthcare components do not. 

Suppose an entity properly designates which business activities are healthcare components subject to the rule and properly designates those business activities that are not healthcare components. In that case, the entity has the legal status of a HIPAA hybrid entity. 

Navigating HIPAA Compliance

Navigating HIPAA compliance can be complicated. By highlighting some of the common considerations, we hope to shed some light on the crucial tasks employers must do to address HIPAA. Our team can help guide you, whether you need a thorough risk assessment, customized training, or a total HIPAA compliance package.

What's on Your Mind?

a black and white logo

Stephen Mehaffey

Stephen Mehaffey is an Associate Director in the firm’s Tax Services Group and has over 25 years of accounting experience. 

Start a conversation with Stephen

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.