HIPAA Compliance Risks for Group Health Plans and Plan Sponsors: Employers’ Often Overlooked Compliance Obligations
The Privacy Regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) continue to be a source of compliance risk for many employers. Whether your business’s employee group health plan (“Plan”) is self-funded or fully insured, as the employer plan sponsor you are responsible for ensuring that the Plan is meeting HIPAA obligations to protect your employees’ protected health information (“PHI”). However, many employers are unaware of their HIPAA obligations with respect to their Plans. This is particularly true for employer sponsors of fully insured Plans, who often erroneously believe they have no HIPAA responsibility because the Plans are primarily administered by health insurance companies. Employers’ failure to ensure their Plans’ compliance with HIPAA could lead to significant liability, particularly in the current atmosphere of substantially increased HIPAA enforcement actions and audits in connection with new HIPAA regulations released earlier this year.
Group Health Plans Under HIPAA
A Plan is considered a “covered entity” and is subject to the requirements of the Privacy Regulations. An employer that is the sponsor of a Plan (the “Plan Sponsor”) is not a covered entity in its own right, and is, therefore, not directly subject to the Privacy Regulations. However, the Privacy Regulations place obligations on the Plan and restrict the flow of information from a Plan to the Plan Sponsor. This ultimately places compliance burdens on the Plan Sponsor, which will vary depending on (i) whether the Plan is self-funded or provides fully insured health benefits through a health insurance issuer or HMO (the “Insurer”), and (ii) the extent of PHI the Plan sponsor receives from the Plan or the Insurer.
Restrictions on Exchange of Health Information Between Plan and Plan Sponsor
Employers are prohibited from freely exchanging PHI with their sponsored Plans. Unless an exception applies (as discussed below), in order for a Plan to disclose PHI to the Plan Sponsor (or to provide for or permit the disclosure of PHI to the Plan Sponsor by an Insurer), the Plan documents must be amended to provide for certain restrictions regarding the flow of information to the Plan Sponsor. Essentially, these Plan amendments require an employer to create a “firewall” between itself (as the Plan Sponsor) and the Plan with regard to employee PHI and likely require employers to change or implement policies and procedures with respect to their handling of such information. Even after the Plan documents are amended, the Plan (or an Insurer on its behalf) may disclose PHI to the employer Plan Sponsor only for certain Plan administrative functions.
There are limited exceptions to the requirement to amend the Plan documents. One such exception is if the employer Plan Sponsor only exchanges “summary health information” with the Plan for the purpose of either (i) obtaining premium bids from Insurers for providing health insurance coverage under the Plan, or (ii) modifying, amending, or terminating the Plan. “Summary health information” generally means information that summarizes the claims history, claims expenses, or type of claims experienced by the participants of the Plan, but from which certain identifying information has been deleted.
Distinction Between Fully Insured and Self-Funded Plans
A Plan – and, by extension, the Plan Sponsor – may have numerous additional HIPAA obligations depending on whether it is fully insured or self-funded. For instance, all self-funded Plans are required to implement HIPAA policies and procedures regarding PHI and to undertake other significant administrative obligations, while fully insured plans may not be subject to these requirements depending on the extent of PHI they create or receive.
Employers should immediately review and assess their obligations under HIPAA to ensure their compliance. Wolff & Samson is prepared to assist clients with all their HIPAA compliance needs. Should you have any questions regarding your Plan’s HIPAA obligations, please do not hesitate to contact an attorney in our Health Care and Hospital Group.